MSC2398: proposal to allow mxc:// in the "a" tag within messages

[eras]

Currently message events (m.room.message) can contain formatted data in its formatted_body field, if the format of the message is org.matrix.custom.html. This is a proposal to allow the mxc:// schema to appear also for a tags in addition to just img tags currently permitted (in fact, required).

Rendered: https://github.com/eras/matrix-doc/blob/MSC2398-mxc-for-a-tags/proposals/2398-allow-mxc-within-message-links.md

---

SCT:

Implementation: Not required. Feature appears to be self-contained enough to make sense as-is. ~TravisR

FCP tickyboxes

[KitsuneRal]

Since mxc:// is effectively a proxy scheme to https://<media-api-path>/download, this looks like a very good way to refer to content residing on Matrix media servers. The alternative, actually, does exist: to use the HTTP(S) /download URL, which is by definition inferior to this proposal.

[turt2live]

@eras also slightly annoying, but the proposal needs to be signed off so we can merge it: https://github.com/matrix-org/matrix-doc/blob/master/CONTRIBUTING.rst#sign-off

[eras]

Updated.

Changes:

• Added note about alternatives per @KitsuneRal 's comment
• Removed changes to instant_messaging.rst per @turt2live 's comment
• Added a Signed Off -line to the commit message per @turt2live 's comment

[turt2live]

Thanks! The proposal itself looks very sane.

[eras]

So it came to me that an implementation should be careful when implementing this.

In particular, when a web-based client opens a HTML document from the same domain as the Matrix API, the document can probably use JavaScript to make requests with the user's credentials.

[ShadowJonathan]

@eras i believe those thoughts would be best served under the "Security Considerations" header in the proposal 👍

[turt2live]

non-blocking concerns

[turt2live]

Suggested change

	The spec for `a` tags says:
	The spec for `a` tags [says](https://spec.matrix.org/v1.8/client-server-api/#mroommessage-msgtypes):

[turt2live]

sorry this got stuck :(

@mscbot fcp merge

[mscbot]

Team member @mscbot has proposed to merge this. The next step is review by the rest of the tagged people:

• @dbkr
• @uhoreg
• @turt2live
• @ara4n
• @anoadragon453
• @richvdh
• @erikjohnston
• @KitsuneRal

Concerns:

• add explicit text about transforming mxc link to https
• How do you implement this on web clients with MSC3916

Once at least 75% of reviewers approve (and there are no outstanding concerns), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up!

See this document for information about what commands tagged team members can give me.

[dbkr]

Going to raise a concern for adding the bit about transforming the mxc link just so there's a clear action point, but just to say that in spite of this and the grammar nitpicks, this is a superbly written and simple, but thorough, MSC, and in general seems like a great change. Thank you!

[dbkr]

Suggested change

	in its formatted_body field, if the format of the message is
	in their formatted_body field, if the format of the message is

[dbkr]

Suggested change

	org.matrix.custom.html. In this subset of HTML `img` tags are permitted
	org.matrix.custom.html. In this subset of HTML, `img` tags are permitted

[dbkr]

Suggested change

	clients are able to resolve these URIs to (ie.) HTTPs to retrieve the
	clients are able to resolve these URIs to (eg.) HTTP(s) URLs to retrieve the

Sorry if these feel nitpicky, I'm just having to re-read a couple of times to work out what the MSC is saying so attempting to clarify.

[dbkr]

Much as it's obvious, presumably the spec would also need to explicitly say that the client must transform the mxc link into an appropriate link the browser will understand (ie. what you talk about above with img tags).

[turt2live]

This feels like something which is best served by a note rather than requirement. Web clients will probably need to convert it, but other clients might be able to handle a custom scheme for network requests.

I'd suggest that this not be a blocking concern for FCP, as the spec text can provide guidance on how to handle it.

[KitsuneRal]

I would really prefer the MSC say explicitly that clients should manage this scheme in one way or another - ultimately a custom handler will have to translate the mxc URL into an HTTP(S) request anyway.

[KitsuneRal]

Oh wait but isn't "Clients would be able to handle the mxc schema here in the exact same way they handle img tags" above exactly this description, actually? I personally think that is enough.

[anoadragon453]

What do you think @dbkr?

[dbkr]

I guess it just seemed odd to me that an explicit change to the spec text was given but then additional behaviour specified in the MSC. I suppose it's all there though so it doesn't really matter.

[dbkr]

@mscbot concern add explicit text about transforming mxc link to https

[dbkr]

@mscbot resolve add explicit text about transforming mxc link to https

[ara4n]

It's probably worth spelling out explicitly here that the security risks of linking directly to content in the repository is not just HTML, but any format which can execute code and potentially XSS needs to be mitigated by a valid CSP - e.g. JS, PDF, SWF, SVG. This isn't anything new, but it's still a security consideration. I can't think of a world where a HTTPS url derived from an MXC URL wouldn't be subject to CSP when a plain HTTPS url to the same content would, but still worth spelling it out at least in the MSC, if not the final spec.

[mscbot]

🔔 This is now entering its final comment period, as per the review above. 🔔

[erikjohnston]

How does this proposal interact with MSC3916, which basically adds authentication to the media API? I assume if we can make it work for img tags we can make it work for a, but I think that needs to be verified.

[turt2live]

The media ID would be attributed to a single event somewhere, and clients would be translating mxc:// to https:// for the user. This then behaves no differently than if a user were to get linked to the download endpoint directly - authentication would be required, and if that user can't see the original event then the link is broken for that user.

[erikjohnston]

This then behaves no differently than if a user were to get linked to the download endpoint directly - authentication would be required, and if that user can't see the original event then the link is broken for that user.

But getting linked directly to the download endpoint won't work, as there is no way for a user to authenticate AIUI? I thought for media web clients would potentially need to download the media in service workers or whatever to make the authentication work, in a similar manner as today to make encrypted attachments work. Is that method viable here?

[turt2live]

A service worker would be required, which should be workable. The client can essentially iframe it and append the appropriate headers. This then ties into Matthew's comment about security considerations: #2398 (comment)

I'm tempted to suggest a blocking concern on this as it feels valuable to test/implement, particularly while MSC3916 and friends are being experimented with. It's akin to custom emoji/stickers where I think we want to avoid making the problem worse short-term if we can avoid it.

[erikjohnston]

@mscbot concern How do you implement this on web clients with MSC3916

Sorry, but sounds like we need to double check the above before we can land this. Hopefully someone can just confirm its possible. c.f. #2398 (comment)

[mscbot]

The final comment period, with a disposition to merge, as per the review above, is now complete.

[turt2live]

(FCP is not complete because there are outstanding concerns - see matrix-org/mscbot-python#3 )

[turt2live]

The outstanding concern on this does not appear easily resolved - I'm cancelling FCP or returning this MSC back to its pre-FCP state (whichever the bot lets me do) pending further work in the area of media linking. It feels like changes may be required that would warrant a new FCP call anyways.

@mscbot fcp cancel

[mscbot]

This proposal is not in FCP nor has had FCP proposed.