Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MSC3009: Websocket transport for client <--> widget communications #3009

Open
wants to merge 1 commit into
base: old_master
Choose a base branch
from

Conversation

turt2live
Copy link
Member

Rendered

Author's note: This is technically in review under the "we probably want alternative transports" flag, though websockets being the solution is questionable - see MSC for details.

@turt2live turt2live added proposal-in-review proposal A matrix spec change proposal kind:feature MSC for not-core and not-maintenance stuff labels Feb 15, 2021
Comment on lines +91 to +93
Regular HTTP might also work, as would Server-Sent Events, though these are inherently one-way or require
excessive resources to make two-way. Other efficient transports are not easily available on all platforms,
such as lower level TCP/UDP-based transports.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about QUIC over IP?

Copy link
Member Author

@turt2live turt2live Feb 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fair warning that other comments of this sort will be written off as malicious bikeshed - please include details of why the suggestion is better to avoid this designation

What are the benefits over websockets? Can web-based implementations more easily spin that up for bidirectional communications?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

QUIC has the benefit of including both TLS and framed multi-streaming in one protocol. Shedding UDP means we can also get rid of 8 bytes of redundant header (ports and payload size), that QUIC already communicates (connection ID and per-stream payload size). You would keep an even number of streams to establish a bidirectional connection in QUIC over IP. WebSockets, unlike QUIC, requires a long sequence of connection bootstrapping (2+RTT vs 1RTT for QUIC).

Copy link
Contributor

@ShadowJonathan ShadowJonathan Feb 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How implementable is this for, say, element.io? Could element.io or any other web-based client easily create a QUIC communication channel?

I think this is more about availability than speed, as i interpret the primary objective of the MSC to have an easy-to-setup bidirectional channel for widgets. QUIC wouldn't pass under these requirements (unless i'm mistaken, and QUIC has gained prominent compatibility with application-facing APIs).

over this alternative transport, for example. Similarly, there is nothing to pin to the screen and therefore
the widget's attempts to request an "always on screen" capability would be for naught.

## Alternatives
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we might also be able to make the homeserver a bouncer by having a "client ID" of sorts to give the widget and homeserver, which opens a communication channel between the widget and client regardless of platforms.

There is a high likelihood that when a client spins up a websocket server that it'll be bound to localhost
without TLS. This could be problematic if widgets are transferring sensitive information over the API
which could be intercepted by local processes. This is akin to a malicious browser extension listening for
postmessage requests on `*`, however.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as i understand this opens an additional unauthenticated lisening port in the matrix client. So anything (including open web pages) might be able to connect to the matrix client and try to confuse it to break or do something unauthorized.

I think it would be better if the communication can be ensured to actually be from the widget. Passing a random string to the widget somehow that it needs to present in the first message on the websocket should mitigate such problems.

@turt2live turt2live added the widgets anything to do with widgets label Mar 10, 2021
@turt2live turt2live added the needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. label Jun 8, 2021
@@ -0,0 +1,110 @@
# MSC3009: Websocket transport for client <--> widget communications
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

none of this makes sense when we have to-device: https://github.com/matrix-org/matrix-doc/issues/3347

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind:feature MSC for not-core and not-maintenance stuff needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. proposal A matrix spec change proposal widgets anything to do with widgets
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants