Skip to content

Commit 78d3a47

Browse files
aaronraimistaaronraimist
committed
Create MSC with fixes for client well-known
Signed-off-by: Aaron Raimist <aaron@raim.ist>
1 parent be1669d commit 78d3a47

File tree

1 file changed

+35
-0
lines changed

1 file changed

+35
-0
lines changed

proposals/xxxx-client-well-known-fixes.md

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
# MSCXXXX: Fixes for Client Well-known URI
2+
3+
Several minor issues and inconsistencies have cropped up since the `/.well-known/matrix/client`
4+
method was added to allow clients to discover servers. This proposal intends to fix these issues.
5+
6+
## Proposal
7+
8+
The following changes should be made to the client server spec:
9+
10+
1. The spec does not mention that redirects should be followed. The spec should be changed to
11+
state that when a client is looking up the well-known URI, it should follow HTTP 3xx redirects
12+
up to 30 times. This is consistent with the redirects followed when a server resolves a
13+
server name using `/.well-known/matrix/server`.
14+
15+
1. Currently the spec does not mention which Content-Type should be used for the response to
16+
`/.well-known/matrix/client`. The Content-Type SHOULD be `application/json` however it
17+
should be assumed to be JSON regardless of type. This is consistent with the Server-Server API.
18+
19+
1. When a client is following the flow described in the spec for looking up `/.well-known/matrix/client`,
20+
the spec currently states, in part:
21+
22+
> 3․ Make a GET request to https://hostname/.well-known/matrix/client.<br>
23+
>> a․ If the returned status code is 404, then `IGNORE`.<br>
24+
>> b․ If the returned status code is not 200, or the response body is empty, then `FAIL_PROMPT`.
25+
26+
In practice most web servers do not add CORS headers on 404 errors by default. Therefore
27+
web based clients cannot always determine if the status code is 404. Step 3b should be
28+
changed from `FAIL_PROMPT` to `IGNORE` so that a non 200 response is treated in the same
29+
way as 404. This change is intended to fix issues like https://github.com/vector-im/riot-web/issues/7875.
30+
31+
This change does have potential security concerns, see https://github.com/vector-im/riot-web/issues/11136.
32+
33+
1. Step 3f in the flow should be changed to use the modern `/_matrix/identity/v2` API to
34+
validate the identity server rather than the deprecated `/_matrix/identity/api/v1`. Clients
35+
should fall back to the v1 API as described in the identity service spec.

0 commit comments

Comments
 (0)