|
|
|
|
@ -1,23 +1,23 @@
|
|
|
|
|
# MSC2499: Fixes for Client Well-known URI
|
|
|
|
|
# MSC2499: Fixes for Well-Known URIs
|
|
|
|
|
|
|
|
|
|
Several minor issues and inconsistencies have cropped up since the `/.well-known/matrix/client`
|
|
|
|
|
method was added to allow clients to discover servers. This proposal intends to fix these issues.
|
|
|
|
|
Several minor issues and inconsistencies have come up with the well-known URIs used for
|
|
|
|
|
discovering clients and servers. This proposal intends to fix these issues.
|
|
|
|
|
|
|
|
|
|
## Proposal
|
|
|
|
|
|
|
|
|
|
The following changes should be made to the client server spec:
|
|
|
|
|
The following changes should be made to the spec:
|
|
|
|
|
|
|
|
|
|
1. The spec does not mention that redirects should be followed. The spec should be changed to
|
|
|
|
|
state that when a client is looking up the well-known URI, it should follow HTTP 3xx redirects
|
|
|
|
|
up to 30 times. This is consistent with the redirects followed when a server resolves a
|
|
|
|
|
server name using `/.well-known/matrix/server`.
|
|
|
|
|
1. The spec does not mention that redirects should be followed for `/.well-known/matrix/client`
|
|
|
|
|
and does not clearly specify what type of redirects should be followed for `/.well-known/matrix/server`.
|
|
|
|
|
To fix this, the spec should be changed to state that when a well-known URI is requested,
|
|
|
|
|
the client or server should follow HTTP 301, 302, 303, 307, and 308 redirects up to 30 times.
|
|
|
|
|
|
|
|
|
|
1. Currently the spec does not mention which Content-Type should be used for the response to
|
|
|
|
|
`/.well-known/matrix/client`. The Content-Type SHOULD be `application/json` however it
|
|
|
|
|
should be assumed to be JSON regardless of type. This is consistent with the Server-Server API.
|
|
|
|
|
`/.well-known/matrix/client`. The Client-Server spec should be changed to state the Content-Type
|
|
|
|
|
SHOULD be `application/json` however it should be assumed to be JSON regardless of Content-Type.
|
|
|
|
|
This is consistent with the Server-Server API.
|
|
|
|
|
|
|
|
|
|
1. When a client is following the flow described in the spec for looking up `/.well-known/matrix/client`,
|
|
|
|
|
the spec currently states, in part:
|
|
|
|
|
1. The Client-Server spec for looking up `/.well-known/matrix/client` currently states, in part:
|
|
|
|
|
|
|
|
|
|
> 3․ Make a GET request to https://hostname/.well-known/matrix/client.<br>
|
|
|
|
|
>> a․ If the returned status code is 404, then `IGNORE`.<br>
|
|
|
|
|
@ -30,6 +30,9 @@ the spec currently states, in part:
|
|
|
|
|
|
|
|
|
|
This change does have potential security concerns, see https://github.com/vector-im/riot-web/issues/11136.
|
|
|
|
|
|
|
|
|
|
1. Step 3f in the flow should be changed to use the modern `/_matrix/identity/v2` API to
|
|
|
|
|
validate the identity server rather than the deprecated `/_matrix/identity/api/v1`. Clients
|
|
|
|
|
should fall back to the v1 API as described in the identity service spec.
|
|
|
|
|
1. Step 3f in the Client-Server well-known flow should be changed to use the modern
|
|
|
|
|
`/_matrix/identity/v2` API to validate the identity server rather than the deprecated
|
|
|
|
|
`/_matrix/identity/api/v1`.
|
|
|
|
|
|
|
|
|
|
1. The maximum size of size of the well-known file is 51200 bytes. A client or server
|
|
|
|
|
requesting a well-known file MUST abort and FAIL_PROMPT if the response exceeds 51200 bytes.
|
Aaron Raimist
5 years ago