Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MSC3828: Content Repository CORP Headers #3828

Merged
merged 9 commits into from
Jul 25, 2022
Merged

MSC3828: Content Repository CORP Headers #3828

Changes from 2 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
e4ce2bd
Content Repository CORP Headers
robertlong Jun 1, 2022
986e4ed
Update MSC number
robertlong Jun 1, 2022
c36fd8b
Update proposals/3828-content-repository-corp-headers.md
robertlong Jun 1, 2022
9e74fc4
Update 3828-content-repository-corp-headers.md
robertlong Jun 1, 2022
6e913f7
Fix reference to r0 media API
robertlong Jun 9, 2022
ab2b1e0
v3 not r3
robertlong Jun 9, 2022
632d5b0
Add line breaks
robertlong Jun 9, 2022
f96d60f
Add note about chrome support
robertlong Jun 14, 2022
29854f3
Update proposals/3828-content-repository-corp-headers.md
robertlong Jun 17, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions proposals/3828-content-repository-corp-headers.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# MSC0000: Content Repository Cross Origin Resource Policy (CORP) Headers
robertlong marked this conversation as resolved.
Show resolved Hide resolved

In 2018 two side-channel hardware vulnerabilities, [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)) and [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)) were disclosed. In web browsers this meant that features such as high resolution timers and SharedArrayBuffer could be used to expose sensitive data across origins. In response, browser vendors have required documents that wish to continue using features such as SharedArrayBuffer to be served with the `Cross-Origin-Embedder-Policy: require-corp` header. This header prevents a document from loading any cross-origin resources that don't explicitly grant the document permission via the `Cross-Origin-Resource-Policy` header.
turt2live marked this conversation as resolved.
Show resolved Hide resolved

Currently Matrix homeservers are expected to serve all routes with the `Access-Control-Allow-Origin: *` header. This allows web clients on one origin to fetch content from homeservers on other origins. However, when the web client uses SharedArrayBuffer and the required `Cross-Origin-Embedder-Policy: require-corp` header, all embedded documents must set the required CORP header.

## Proposal

The content repository should serve assets with the `Cross-Origin-Resource-Policy: cross-origin` header. This allows web clients to set the `Cross-Origin-Embedder-Policy: require-corp` header and enable access to APIs like SharedArrayBuffer.

This header should be set on responses from the following endpoints:

- `/_matrix/media/r0/download`
- `/_matrix/media/r0/thumbnail`
turt2live marked this conversation as resolved.
Show resolved Hide resolved

## Potential issues
robertlong marked this conversation as resolved.
Show resolved Hide resolved

See [Security considerations](#Security-considerations)

## Alternatives

Clients using features like SharedArrayBuffer cannot fetch media from the Matrix media repositories without these headers.


## Security considerations

I don't believe this poses any additional risks to private data from Matrix homeservers. We are not exposing iframes with personal data or any data that could not already be gathered from Matrix's existing APIs. However, I believe this proposal deserves thorough review.

## Unstable prefix

TODO

## Dependencies

None