|
| 1 | +# MSC4266: Policies in `/.well-known/matrix/support` |
| 2 | + |
| 3 | +Matrix supports collecting policy consent from users during [account |
| 4 | +registration]. There is, however, no API allowing clients to retrieve the |
| 5 | +policies again at a later point. This requires the user to manually store them |
| 6 | +upon registration to be able to refer to them again. |
| 7 | + |
| 8 | +Furthermore, some policies, such as the privacy policy, might be relevant for |
| 9 | +users of other homeservers. Again, these users' clients have no way to |
| 10 | +programmatically retrieve the server's policies. |
| 11 | + |
| 12 | +The present proposal addresses this situation by publishing the policies in the |
| 13 | +server's support document under [`/.well-known/matrix/support`]. |
| 14 | + |
| 15 | +## Proposal |
| 16 | + |
| 17 | +A new optional property `policies` is added to the response of |
| 18 | +[`/.well-known/matrix/support`]. The format is the same one used during |
| 19 | +[registration][account registration]. |
| 20 | + |
| 21 | +``` json5 |
| 22 | +{ |
| 23 | + "contacts": [ ... ], |
| 24 | + "support_page": ..., |
| 25 | + "policies": { |
| 26 | + "privacy_policy": { |
| 27 | + "en": { |
| 28 | + "name": "Privacy Policy", |
| 29 | + "url": "https://example.org/somewhere/privacy-1.2-en.html" |
| 30 | + }, |
| 31 | + "fr": { |
| 32 | + "name": "Politique de confidentialité", |
| 33 | + "url": "https://example.org/somewhere/privacy-1.2-fr.html" |
| 34 | + }, |
| 35 | + "version": "1.2" |
| 36 | + }, |
| 37 | + "terms_of_service": { |
| 38 | + "en": { |
| 39 | + "name": "Terms of Service", |
| 40 | + "url": "https://example.org/somewhere/terms-1.2-en.html" |
| 41 | + }, |
| 42 | + "fr": { |
| 43 | + "name": "Conditions d'utilisation", |
| 44 | + "url": "https://example.org/somewhere/terms-1.2-fr.html" |
| 45 | + }, |
| 46 | + "version": "1.2" |
| 47 | + } |
| 48 | + } |
| 49 | +} |
| 50 | +``` |
| 51 | + |
| 52 | +If the request is authenticated, the server SHOULD respond with the latest |
| 53 | +version of the policies that the user consented to. |
| 54 | + |
| 55 | +## Potential issues |
| 56 | + |
| 57 | +None. |
| 58 | + |
| 59 | +## Alternatives |
| 60 | + |
| 61 | +It might be debatable whether policies represent "support" information. Instead |
| 62 | +of repurposing the support document, the policies could also be made available |
| 63 | +via a dedicated endpoint. |
| 64 | + |
| 65 | +Instead of querying the server, the client could store the policies in the |
| 66 | +user's account data. If [encrypted] this would prevent the server from tampering |
| 67 | +with the policies the user has consented to. This would, however, not allow |
| 68 | +external users to retrieve the policies. |
| 69 | + |
| 70 | +## Security considerations |
| 71 | + |
| 72 | +The server could fake the terms and respond with a version that is different |
| 73 | +from the one the user consented to. |
| 74 | + |
| 75 | +## Unstable prefix |
| 76 | + |
| 77 | +While this proposal is unstable `policies` should be referred to as |
| 78 | +`org.matrix.msc4266.policies`. |
| 79 | + |
| 80 | + [account registration]: https://spec.matrix.org/v1.13/client-server-api/#terms-of-service-at-registration |
| 81 | + [`/.well-known/matrix/support`]: https://spec.matrix.org/v1.13/client-server-api/#getwell-knownmatrixsupport |
| 82 | + [encrypted]: https://spec.matrix.org/v1.13/client-server-api/#secret-storage |
0 commit comments