From 9ca1b651b7d1da0fc112005e5e010e63bcd5cd3d Mon Sep 17 00:00:00 2001
From: Aaron Raimist <aaron@raim.ist>
Date: Sun, 25 Apr 2021 23:52:29 -0500
Subject: [PATCH] Clarify redirects that should be followed, add maximum size

Signed-off-by: Aaron Raimist <aaron@raim.ist>
---
 proposals/2499-client-well-known-fixes.md | 33 ++++++++++++-----------
 1 file changed, 18 insertions(+), 15 deletions(-)

diff --git a/proposals/2499-client-well-known-fixes.md b/proposals/2499-client-well-known-fixes.md
index 43daf19e4..3fc44c9bd 100644
--- a/proposals/2499-client-well-known-fixes.md
+++ b/proposals/2499-client-well-known-fixes.md
@@ -1,23 +1,23 @@
-# MSC2499: Fixes for Client Well-known URI
+# MSC2499: Fixes for Well-Known URIs
 
-Several minor issues and inconsistencies have cropped up since the `/.well-known/matrix/client`
-method was added to allow clients to discover servers. This proposal intends to fix these issues.
+Several minor issues and inconsistencies have come up with the well-known URIs used for
+discovering clients and servers. This proposal intends to fix these issues.
 
 ## Proposal
 
-The following changes should be made to the client server spec:
+The following changes should be made to the spec:
 
-1. The spec does not mention that redirects should be followed. The spec should be changed to
-state that when a client is looking up the well-known URI, it should follow HTTP 3xx redirects
-up to 30 times. This is consistent with the redirects followed when a server resolves a
-server name using `/.well-known/matrix/server`.
+1. The spec does not mention that redirects should be followed for `/.well-known/matrix/client`
+and does not clearly specify what type of redirects should be followed for `/.well-known/matrix/server`.
+To fix this, the spec should be changed to state that when a well-known URI is requested,
+the client or server should follow HTTP 301, 302, 303, 307, and 308 redirects up to 30 times.
 
 1. Currently the spec does not mention which Content-Type should be used for the response to
-`/.well-known/matrix/client`. The Content-Type SHOULD be `application/json` however it
-should be assumed to be JSON regardless of type. This is consistent with the Server-Server API.
+`/.well-known/matrix/client`. The Client-Server spec should be changed to state the Content-Type
+SHOULD be `application/json` however it should be assumed to be JSON regardless of Content-Type.
+This is consistent with the Server-Server API.
 
-1. When a client is following the flow described in the spec for looking up `/.well-known/matrix/client`,
-the spec currently states, in part:
+1. The Client-Server spec for looking up `/.well-known/matrix/client` currently states, in part:
 
     > 3․ Make a GET request to https://hostname/.well-known/matrix/client.<br>
 	>>  a․ If the returned status code is 404, then `IGNORE`.<br>
@@ -30,6 +30,9 @@ the spec currently states, in part:
   
     This change does have potential security concerns, see https://github.com/vector-im/riot-web/issues/11136.
 
-1. Step 3f in the flow should be changed to use the modern `/_matrix/identity/v2` API to
-validate the identity server rather than the deprecated `/_matrix/identity/api/v1`. Clients
-should fall back to the v1 API as described in the identity service spec.
+1. Step 3f in the Client-Server well-known flow should be changed to use the modern
+`/_matrix/identity/v2` API to validate the identity server rather than the deprecated
+`/_matrix/identity/api/v1`.
+
+1. The maximum size of size of the well-known file is 51200 bytes. A client or server
+requesting a well-known file MUST abort and FAIL_PROMPT if the response exceeds 51200 bytes.
\ No newline at end of file