|
|
|
|
@ -17,19 +17,6 @@ the client or server should follow HTTP 301, 302, 303, 307, and 308 redirects up
|
|
|
|
|
SHOULD be `application/json` however it should be assumed to be JSON regardless of Content-Type.
|
|
|
|
|
This is consistent with the Server-Server API.
|
|
|
|
|
|
|
|
|
|
1. The Client-Server spec for looking up `/.well-known/matrix/client` currently states, in part:
|
|
|
|
|
|
|
|
|
|
> 3․ Make a GET request to https://hostname/.well-known/matrix/client.<br>
|
|
|
|
|
>> a․ If the returned status code is 404, then `IGNORE`.<br>
|
|
|
|
|
>> b․ If the returned status code is not 200, or the response body is empty, then `FAIL_PROMPT`.
|
|
|
|
|
|
|
|
|
|
In practice most web servers do not add CORS headers on 404 errors by default. Therefore
|
|
|
|
|
web based clients cannot always determine if the status code is 404. Step 3b should be
|
|
|
|
|
changed from `FAIL_PROMPT` to `IGNORE` so that a non 200 response is treated in the same
|
|
|
|
|
way as 404. This change is intended to fix issues like https://github.com/vector-im/riot-web/issues/7875.
|
|
|
|
|
|
|
|
|
|
This change does have potential security concerns, see https://github.com/vector-im/riot-web/issues/11136.
|
|
|
|
|
|
|
|
|
|
1. Step 3f in the Client-Server well-known flow should be changed to use the modern
|
|
|
|
|
`/_matrix/identity/v2` API to validate the identity server rather than the deprecated
|
|
|
|
|
`/_matrix/identity/api/v1`.
|
|
|
|
|
|
Aaron Raimist
5 years ago