|
| 1 | +# MSC3828: Content Repository Cross Origin Resource Policy (CORP) Headers |
| 2 | + |
| 3 | +In 2018 two side-channel hardware vulnerabilities, |
| 4 | +[Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)) |
| 5 | +and [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)) were disclosed. |
| 6 | +In web browsers this meant that features such as high resolution timers and SharedArrayBuffer |
| 7 | +could be used to expose sensitive data across origins. In response, browser vendors have |
| 8 | +required documents that wish to continue using features such as SharedArrayBuffer to be |
| 9 | +served with the `Cross-Origin-Embedder-Policy: require-corp` header. This header prevents a |
| 10 | +document from loading any cross-origin resources that don't explicitly grant the document |
| 11 | +permission via the `Cross-Origin-Resource-Policy` header. |
| 12 | + |
| 13 | +Currently Matrix homeservers are expected to serve all routes with the |
| 14 | +`Access-Control-Allow-Origin: *` header. This allows web clients on one origin to fetch |
| 15 | +content from homeservers on other origins. However, when the web client uses SharedArrayBuffer |
| 16 | +and the required `Cross-Origin-Embedder-Policy: require-corp` header, all embedded documents |
| 17 | +must set the required CORP header. |
| 18 | + |
| 19 | +## Proposal |
| 20 | + |
| 21 | +The content repository should serve assets with the `Cross-Origin-Resource-Policy: cross-origin` |
| 22 | +header. This allows web clients to set the `Cross-Origin-Embedder-Policy: require-corp` |
| 23 | +header and enable access to APIs like SharedArrayBuffer. |
| 24 | + |
| 25 | +This header should be set on responses from the following endpoints: |
| 26 | + |
| 27 | +- `/_matrix/media/v3/download` |
| 28 | +- `/_matrix/media/v3/thumbnail` |
| 29 | + |
| 30 | +## Potential issues |
| 31 | + |
| 32 | +Chrome 73-75 have problems downloading files with this header, see [bug 952834](https://crbug.com/952834). |
| 33 | +Chrome 80-85 has a [bug](https://crbug.com/1074261) with viewing multi-page PDF documents with CORP |
| 34 | +headers set to `same-origin`. This proposal is for setting the header to `cross-origin` which should |
| 35 | +not have an issue but I was not able to verify this. However, |
| 36 | +[MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)#browser_compatibility) |
| 37 | +suggests this bug was fixed in Chrome 86 by disabling partial PDF loading. I was able to verify that |
| 38 | +multi-page PDFs are viewable in the latest versions of Chrome, Safari, and Firefox with either header |
| 39 | +value set. This should only be an issue if you require supporting Chrome 73-75. |
| 40 | + |
| 41 | +Also see [Security considerations](#Security-considerations) |
| 42 | + |
| 43 | +## Alternatives |
| 44 | + |
| 45 | +Clients using features like SharedArrayBuffer cannot fetch media from the Matrix media |
| 46 | +repositories without these headers. |
| 47 | + |
| 48 | + |
| 49 | +## Security considerations |
| 50 | + |
| 51 | +I don't believe this poses any additional risks to private data from Matrix homeservers. |
| 52 | +We are not exposing iframes with personal data or any data that could not already be |
| 53 | +gathered from Matrix's existing APIs. However, I believe this proposal deserves thorough review. |
| 54 | + |
| 55 | +## Unstable prefix |
| 56 | + |
| 57 | +None |
| 58 | + |
| 59 | +## Dependencies |
| 60 | + |
| 61 | +None |
0 commit comments