Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Clarify security note regarding the domain Synapse is hosted on. #9221

Merged
merged 3 commits into from
May 27, 2021
Merged

Clarify security note regarding the domain Synapse is hosted on. #9221

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
76be057
Clarify security note regarding the domain Synapse is hosted on.
dkasak Jan 25, 2021
10ccc2c
Add newsfile for #9221.
dkasak Jan 26, 2021
52ee284
Revise after review.
dkasak May 26, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Revise after review.
  • Loading branch information
@dkasak
dkasak committed May 26, 2021
commit 52ee284d87db4b35ee5182e64892809b917de1f6
33 changes: 27 additions & 6 deletions README.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,15 +157,36 @@ repository endpoints`_.

.. _content repository endpoints: https://matrix.org/docs/spec/client_server/latest.html#get-matrix-media-r0-download-servername-mediaid

Whilst we make a reasonable effort to mitigate against XSS attacks (such as
using `CSP`_), ideally a Matrix homeserver should be hosted on a dedicated
domain name not shared by other web applications. This particularly applies to
sharing the domain with Matrix web clients and other sensitive applications
like webmail.
Whilst we make a reasonable effort to mitigate against XSS attacks (for
instance, by using `CSP`_), a Matrix homeserver should not be hosted on a
domain hosting other web applications. This especially applies to sharing
the domain with Matrix web clients and other sensitive applications like
webmail. See
https://developer.github.com/changes/2014-04-25-user-content-security for more
information.

.. _CSP: https://github.com/matrix-org/synapse/pull/1021

Using a separate domain ensures that even if an XSS is found in Synapse, the
Ideally, the homeserver should not simply be on a different subdomain, but on
a completely different `registered domain`_ (also known as top-level site or
eTLD+1). This is because `some attacks`_ are still possible as long as the two
applications share the same registered domain.

.. _registered domain: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-2.3

.. _some attacks: https://en.wikipedia.org/wiki/Session_fixation#Attacks_using_cross-subdomain_cookie

To illustrate this with an example, if your Element Web or other sensitive web
application is hosted on ``A.example1.com``, you should ideally host Synapse on
``example2.com``. Some amount of protection is offered by hosting on
``B.example1.com`` instead, so this is also acceptable in some scenarios.
However, you should *not* host your Synapse on ``A.example1.com``.

Note that all of the above refers exclusively to the domain used in Synapse's
Copy link
Member Author

@dkasak dkasak May 26, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure whether this paragraph is confusing or clarifying. I thought it was good to mention the setting it is talking about explicitly. Thoughts?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's good.

``public_baseurl`` setting. In particular, it has no bearing on the domain
mentioned in MXIDs hosted on that server.

Following this advice ensures that even if an XSS is found in Synapse, the
impact to other applications will be minimal.


Expand Down