archive
/
matrix-spec
mirror of https://github.com/matrix-org/matrix-spec
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
release/v1.12
dbkr/msc4178
release/v1.11
tulir/msc4142
release/v1.10
travis/msc2702-msc2701
rav/ref_objects_in_params
dkasak/foldable-sidebar
travis/knock-join
release/v1.9
release/v1.8
anoa/update_docsy
anoa/nix_flake
dbkr/3077-multi-stream-voip
release/v1.7
dbkr/2746-reliable-voip
rav/links_for_object_defs
release/v1.6
release/v1.5
release/v1.4
anoa/invite_knock_room_state
release/v1.3
push_gateway/r0.1.0
r0.0.0
0.2.0
application_service/r0.1.0
application_service/r0.1.1
application_service/r0.1.2
client-server/0.3.0
client-server/r0.1.0
client-server/r0.2.0
client-server/r0.3.0
client_server/r0.4.0
client_server/r0.5.0
client_server/r0.6.0
client_server/r0.6.1
identity_service/r0.1.0
identity_service/r0.2.0
identity_service/r0.2.1
identity_service/r0.3.0
push_gateway/r0.1.1
r0.0.1
server_server/r0.1.0
server_server/r0.1.1
server_server/r0.1.2
server_server/r0.1.3
server_server/r0.1.4
v1.1
v1.10
v1.11
v1.12
v1.2
v1.3
v1.4
v1.5
v1.6
v1.7
v1.8
v1.9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '984e0af7b2'
${ noResults }
matrix-spec/proposals/2244-mass-redactions.md

3.3 KiB
Raw Blame History

Mass redactions

Matrix, like any platform with public chat rooms, has spammers. Currently, redacting spam essentially requires spamming redaction events in a 1:1 ratio, which is not optimal1. Most clients do not even have any mass redaction tools, likely in part due to the lack of a mass redaction API. A mass redaction API on the other hand has not been implemented as it would require sending lots of events at once. However, this problem could be solved by allowing a single redaction event to redact many events instead of sending many redaction events.

Proposal

This proposal builds upon MSC2174 and suggests making the redacts field in the content of m.room.redaction events an array of event ID strings instead of a single event ID string.

It would be easiest to do this before MSC2174 is written into the spec, as then only one migration would be needed: from an event-level redacts string to a content-level redacts array.

Number of redactions

Room v4+ event IDs are 44 bytes long, which means the federation event size limit would cap a single redaction event at a bit less than 1500 targets. Redactions are not intrinsically heavy, so a separate limit should not be necessary.

Client behavior

Clients shall apply existing m.room.redaction target behavior over an array of event ID strings.

Server behavior

The redaction auth rules should change to iterate the array and check if the sender has the privileges to redact each event.

There are at least two potential ways to handle targets that are not found or rejected: soft failing until all targets are found or handling each target separately.

Soft fail

Soft fail the event until all targets are found, then accept only if the sender has the privileges to redact every listed event. This is how redactions currently work.

This has the downside of requiring servers to fetch all the target events (and possibly forward them to clients) before being able to process and forward the redaction event.

Handle each target separately

The target events of an m.room.redaction shall no longer be considered when deciding the authenticity of an m.room.redaction event. Any other existing rules remain unchanged.

When a server accepts an m.room.redaction using the modified auth rules, it evaluates targets individually for authenticity under the existing auth rules. Servers MUST NOT include failing and unknown entries to clients.

Servers do not know whether redaction targets are authorized at the time they receive the m.room.redaction unless they are in possession of the target event. Implementations retain entries in the original list which were not shared with clients to later evaluate the target's redaction status.

When the implementation receives a belated target from an earlier m.room.redaction, it evaluates at that point whether the redaction is authorized.

Servers should not send belated target events to clients if their redaction was found to be authentic, as clients were not made aware of the redaction. That fact is also used to simply ignore unauthorized targets and send the events to clients normally.

Tradeoffs

Potential issues

Security considerations