Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MSC4095: Bundled URL previews #4095

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

MSC4095: Bundled URL previews #4095

wants to merge 10 commits into from

Conversation

tulir
Copy link
Member

@tulir tulir commented Jan 31, 2024
edited

Rendered

Implementations:

  • Beeper Desktop, Android and iOS render incoming bundled preview data, and bundle previews in outgoing messages using data from the /preview_url endpoint.
  • The next-gen Beeper Android client also generates preview data locally instead of asking the homeserver to do it.
  • mautrix-{whatsapp,signal,imessage} and beeper-imessage bridge preview data in both directions.
  • mautrix-{discord,telegram,twitter,instagram} bridge preview data from the remote network to Matrix.

Signed-off-by: Tulir Asokan tulir@maunium.net

@tulir
Proposal for bundling URL previews in events
7eeb3ea 
Signed-off-by: Tulir Asokan <tulir@maunium.net>
@tulir tulir mentioned this pull request Jan 31, 2024
Open
@turt2live turt2live added proposal A matrix spec change proposal client-server Client-Server API kind:feature MSC for not-core and not-maintenance stuff needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. labels Feb 1, 2024
@tulir
Add examples and mention extensible events
96a4800 
Signed-off-by: Tulir Asokan <tulir@maunium.net>
@tulir
Add note about why matched_url is unprefixed in unstable prefixes
25e633a 
Signed-off-by: Tulir Asokan <tulir@maunium.net>
@tulir
Fix some HTML tags
91c8cf1 
Signed-off-by: Tulir Asokan <tulir@maunium.net>
@tulir
Fix security considerations heading size
935e36a 
Signed-off-by: Tulir Asokan <tulir@maunium.net>
@tulir
Add another example and fix some typos
a51df1a 
Signed-off-by: Tulir Asokan <tulir@maunium.net>
@tulir
Add section about original URL preview design doc
9ac1336 
Signed-off-by: Tulir Asokan <tulir@maunium.net>
@tulir
Mention possibility to extend /preview_url for persistent mxcs
6efebbc 
Signed-off-by: Tulir Asokan <tulir@maunium.net>
@tulir
Mention msgtypes
07b8ed7 
Signed-off-by: Tulir Asokan <tulir@maunium.net>
@tulir
Clarify behavior of ignoring embedded preview data
6e3d0f1 
Signed-off-by: Tulir Asokan <tulir@maunium.net>
ara4n
ara4n reviewed Feb 20, 2024
View reviewed changes
proposals/4095-bundled-url-previews.md
encrypted rooms unless the receiver opts in).

## Security considerations
Fake preview data as covered in potential issues.
Copy link
Member

@ara4n ara4n Feb 20, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's worth calling out some more explicit security concerns here:

If the sender doen't use its server's /preview_url endpoint as a helper:

  • This will leak the sending client's IP to the URL they are previewing.
  • The client will need to be careful not to let itself get pwned by malicious content at that URL (e.g. XML parsing exploits in the HTTP library; billion lol attacks...)
  • The client should be very careful not to preview URLs provided by other users - e.g. when replying to a message or quoting it, to stop an attacker sending a malicious URL to a user in order to discover their IP or otherwise pwn them.
    • Concretely, we don't want a world where you receive spam saying "Click reply to this message to win $20M!!! https://evil.com", where the act of replying generates a preview to https://evil.com which then harvests your IP and serves you a malformed image in its URL preview thumbnail which then pwns your app
    • Another concrete attack could be sending a user a malicious URL (hidden in a hyperlink, perhaps? or hidden by mangled UTF sequences) which hits an RFC1918 address on their network to attack them - https://192.168.0.1/ or whatever, and encouraging the user to reply to or quote the msg

One might also want to require an allowlist of IPs the sender's spider is allowed to hit anyway, to try to avoid disasters where users are social-engineered into sending malicious URLs in general, which they never click on, but still get 'clicked on' by the URL previewer, causing chaos.

I'm sure there are a bunch more attack vectors here too...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clokep clokep clokep left review comments

@uhoreg uhoreg uhoreg left review comments

@ara4n ara4n ara4n left review comments

@TheArcaneBrony TheArcaneBrony TheArcaneBrony left review comments

@sumnerevans sumnerevans sumnerevans left review comments

Assignees
No one assigned
Labels
client-server Client-Server API kind:feature MSC for not-core and not-maintenance stuff needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. proposal A matrix spec change proposal
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@tulir @clokep @uhoreg @ara4n @TheArcaneBrony @sumnerevans @turt2live