!DeRvyHqkqkIBbBtwsO:matrix.org

Homeserver Developers

346 Members
If you are building a homeserver, or you want to talk to other people that build homeservers, then this is the place for you! 🥳134 Servers

Load older messages


SenderMessageTime
20 Jun 2024
@gianni:frai.seFraise joined the room.17:28:35
@tobiasfella:kde.orgTobias Fella joined the room.17:30:23
21 Jun 2024
@wrath-pond-yalta:matrix.orgYalta joined the room.05:37:03
@gianni:frai.seFraiseOne question, not sure if this is the right place. Why has the decision been made to use 404 instead of 401? 06:11:31
@matthias:ahouansou.czMatthias
In reply to @gianni:frai.se
One question, not sure if this is the right place. Why has the decision been made to use 404 instead of 401?
Likely to prevent unauthenticated users from discovering if a media id is being used.
06:23:14
@gianni:frai.seFraisestill it is confusing for debugging as well, and knowing something is there but not being able to see it does not really make it less secure, this is just security through obscurity06:24:27
@benjamin:computer.surgerybenjaminit's not security through obscurity really, it's that the presence/absence of media with a particular id may itself be private information06:42:23
@daedric:aguiarvieira.ptRicardo Duarte Could it be because of this little bit? Specifically, if a 404 M_UNRECOGNIZED error is received, servers should fall back rather than treat the media as non-existent. 08:00:14
@clokep:matrix.orgclokepI think the original MSC details a bit more of the why.09:59:24
@zecakeh:tedomum.netKévin Commaille joined the room.10:10:35
@uis246:matrix.orguis
In reply to @gianni:frai.se
One question, not sure if this is the right place. Why has the decision been made to use 404 instead of 401?
I think 401 requires WWW-Authenticate header in reply. 403 is better.
13:10:38
@uis246:matrix.orguis
In reply to @matthias:ahouansou.cz
Likely to prevent unauthenticated users from discovering if a media id is being used.
In blog they say so users won't use matrix server as CDN
13:12:14
@matthias:ahouansou.czMatthiasThat is a reason why they moved to authenticated media, not why they are choosing to use 404.13:21:30
@gianni:frai.seFraiseRedacted or Malformed Event14:03:11
@gianni:frai.seFraiseAs long as your authentication process is solid I don't see the reason to show 404 instead of 401. People may something is there? The URL is random generated I thought, no filename?14:04:46
@travis:t2l.ioTravisR
In reply to @gianni:frai.se
One question, not sure if this is the right place. Why has the decision been made to use 404 instead of 401?
The 404 is used with a different error code to prevent casual detection of media IDs, as it's generally good practice to hide the existence of a resource.
14:28:32
@bkil:matrix.orgbkilWould it still hold if the key space was large enough?14:52:22
@uis246:matrix.orguis
In reply to @gianni:frai.se
As long as your authentication process is solid I don't see the reason to show 404 instead of 401. People may something is there? The URL is random generated I thought, no filename?
403, not 401. 401 if for prompting authentication in browsers. As I understand.
16:09:52
@daedric:aguiarvieira.ptRicardo Duarte citation needed ?? 16:13:51
@travis:t2l.ioTravisRhmm, I'm concerned that my message has disappeared 16:14:45
@travis:t2l.ioTravisRanyways: 403 or 401 implies that the same endpoint should be used with authentication added, which is not the case. The caller needs to use a different endpoint to retrieve the resource.16:15:33
@daedric:aguiarvieira.ptRicardo Duarte

The 404 is used with a different error code to prevent casual detection of media IDs, as it's generally good practice to hide the existence of a resource.

16:15:55
@daedric:aguiarvieira.ptRicardo DuarteThis one ?16:15:57
@uis246:matrix.orguishttps://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401 And RFC7235 `The server generating a 401 response MUST send a WWW-Authenticate header field (Section 4.1) containing at least one challenge applicable to the target resource.`16:16:22
@travis:t2l.ioTravisRWe use 404 to prevent casual observance of media IDs, though a different error code to trigger the spec's "this endpoint probably isn't the one you're looking for" bits.16:16:29
@uis246:matrix.orguishttps://datatracker.ietf.org/doc/html/rfc7235#section-3.116:16:32
@travis:t2l.ioTravisR Matrix overrides the WWW-Authenticate requirement already in several places. 16:16:59
@travis:t2l.ioTravisR The argument would be more whether authentication or authorization is required, but as mentioned, it doesn't matter because the endpoint is different. 16:17:29
@uis246:matrix.orguis
In reply to @travis:t2l.io
We use 404 to prevent casual observance of media IDs, though a different error code to trigger the spec's "this endpoint probably isn't the one you're looking for" bits.
As I understand up-to-spec client should never trigger this error
16:19:32
@travis:t2l.ioTravisRyup, though the real world is far from up to date 🙂16:20:35

There are no newer messages yet.


Back to Room ListRoom Version: 5