archive
/
matrix-spec-proposals
mirror of https://github.com/matrix-org/matrix-spec-proposals
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge 11ac726c20 into ecf996389f

Browse Source
pull/2370/merge
Hubert Chathi 2 months ago committed by GitHub
parent ecf996389f 11ac726c20
commit d1bbe80b5d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 88 additions and 0 deletions
Show Stats Download Patch File Download Diff File

88
proposals/2370-resolve-url.md
Unescape Escape View File

@ -0,0 +1,88 @@
# Resolve URL API
(This document is heavily based on
https://docs.google.com/document/d/1bbX1yxNETmMa-AxBGjIpb4lNoTuc3vjGXmbZWrNBlzM/edit)
Users sometimes want to upload images to Matrix rooms that they see on other
web pages; currently, the way for them to do that is to download the image and
upload it to their homeserver. However, this is inefficient, especially for
users with constrained bandwidth, as the user's homeserver could simply
download the image itself.
In addition, users sometimes want to drag-and-drop images from web pages to
their Matrix client to send them. However, for web-based clients, doing so
only gives them the URL of the image, and [due to CORS
restrictions](https://github.com/vector-im/riot-web/issues/3015#issuecomment-348802045),
the client cannot download the image to re-upload it.
Web-based clients have a similar problem if they want to [automatically resolve
`<img>`
tags](https://github.com/vector-im/riot-web/issues/7100#issuecomment-408651555)
entered by a client from an HTTP(S) URL to an `mxc:` URL.
## Proposal
Add a new endpoint to resolve a URL.
Example:
Request:
```
POST /_matrix/media/r0/resolve_url
Content-Type: application/json
Authentication: Bearer <access token>
{
"url": "<media-url>"
}
```
Response:
```
Content-Type: application/json
{
"content_uri": "mxc://<server-name>/<media-id>",
"content_type": "<MIME type of the URL>"
}
```
This endpoint requires authentication. It causes the homeserver to download
the resource located at the specified URL, place it in the media repository,
and return the `mxc:` URL for the resource, along with the MIME type.
Errors can occur when processing the request.
* If the resource cannot be downloaded due to the URL returning a 404 error, the
endpoint should respond with an `M_NOT_FOUND` error and HTTP code 404.
* If the resource cannot be downloaded due to the URL returning another error,
the endpoint should respond with an `M_UNKNOWN` error and HTTP code 400.
* If the resource cannot be downloaded because it has been blacklisted, it should
respond with an `M_FORBIDDEN` error and HTTP code 403.
* If the resource is larger than the homeserver's limit, it should
respond with an `M_TOO_LARGE` error and HTTP code 400.
## Security considerations
This endpoint can be used to turn a homeserver into an HTTP proxy, so measures
need to be taken to mitigate this.
* Only authorized users should be allowed to call this endpoint.
* This endpoint should be rate limited.
* Homeservers may wish to restrict the MIME types that it is willing to
download (for example, only images).
* Homeservers should allow administrators to blacklist URL patterns and IP
addresses to prevent users from being able to access resources that are only
available on an internal network.
Since the homeserver downloads the file, this will not work for trying to
upload encrypted files for end-to-end encrypted rooms.
## Unstable prefix
Unstable implementations should use the
`/_matrix/media/unstable/org.matrix/resolve_url` endpoint.
Additionally, servers implementing this feature should advertise that they do
so by exposing a `org.matrix.resolve_url` flag in the `unstable_features` part
of the `/versions` response.
Write Preview
Loading…
Cancel
Save