@@ -68,17 +68,17 @@ Server names are resolved to an IP address and port to connect to, and
6868have various conditions affecting which certificates and ` Host ` headers
6969to send. The process overall is as follows:
7070
71- 1 . If the hostname is an IP literal, then that IP address should be
71+ 1 . If the hostname is an IP literal, then that IP address should be
7272 used, together with the given port number, or 8448 if no port is
7373 given. The target server must present a valid certificate for the IP
7474 address. The ` Host ` header in the request should be set to the
7575 server name, including the port if the server name included one.
76- 2 . If the hostname is not an IP literal, and the server name includes
76+ 2 . If the hostname is not an IP literal, and the server name includes
7777 an explicit port, resolve the IP address using AAAA or A records.
7878 Requests are made to the resolved IP address and given port with a
7979 ` Host ` header of the original server name (with port). The target
8080 server must present a valid certificate for the hostname.
81- 3 . If the hostname is not an IP literal, a regular HTTPS request is
81+ 3 . If the hostname is not an IP literal, a regular HTTPS request is
8282 made to ` https://<hostname>/.well-known/matrix/server ` , expecting
8383 the schema defined later in this section. 30x redirects should be
8484 followed, however redirection loops should be avoided. Responses
@@ -95,40 +95,40 @@ to send. The process overall is as follows:
9595 to step 4. If the response is valid, the ` m.server ` property is
9696 parsed as ` <delegated_hostname>[:<delegated_port>] ` and processed as
9797 follows:
98- - If ` <delegated_hostname> ` is an IP literal, then that IP address
98+ - If ` <delegated_hostname> ` is an IP literal, then that IP address
9999 should be used together with the ` <delegated_port> ` or 8448 if
100100 no port is provided. The target server must present a valid TLS
101101 certificate for the IP address. Requests must be made with a
102102 ` Host ` header containing the IP address, including the port if
103103 one was provided.
104- - If ` <delegated_hostname> ` is not an IP literal, and
104+ - If ` <delegated_hostname> ` is not an IP literal, and
105105 ` <delegated_port> ` is present, an IP address is discovered by
106106 looking up an AAAA or A record for ` <delegated_hostname> ` . The
107107 resulting IP address is used, alongside the ` <delegated_port> ` .
108108 Requests must be made with a ` Host ` header of
109109 ` <delegated_hostname>:<delegated_port> ` . The target server must
110110 present a valid certificate for ` <delegated_hostname> ` .
111- - If ` <delegated_hostname> ` is not an IP literal and no
111+ - If ` <delegated_hostname> ` is not an IP literal and no
112112 ` <delegated_port> ` is present, an SRV record is looked up for
113113 ` _matrix._tcp.<delegated_hostname> ` . This may result in another
114114 hostname (to be resolved using AAAA or A records) and port.
115115 Requests should be made to the resolved IP address and port with
116116 a ` Host ` header containing the ` <delegated_hostname> ` . The
117117 target server must present a valid certificate for
118118 ` <delegated_hostname> ` .
119- - If no SRV record is found, an IP address is resolved using AAAA
119+ - If no SRV record is found, an IP address is resolved using AAAA
120120 or A records. Requests are then made to the resolve IP address
121121 and a port of 8448, using a ` Host ` header of
122122 ` <delegated_hostname> ` . The target server must present a valid
123123 certificate for ` <delegated_hostname> ` .
124- 4 . If the ` /.well-known ` request resulted in an error response, a
124+ 4 . If the ` /.well-known ` request resulted in an error response, a
125125 server is found by resolving an SRV record for
126126 ` _matrix._tcp.<hostname> ` . This may result in a hostname (to be
127127 resolved using AAAA or A records) and port. Requests are made to the
128128 resolved IP address and port, using 8448 as a default port, with a
129129 ` Host ` header of ` <hostname> ` . The target server must present a
130130 valid certificate for ` <hostname> ` .
131- 5 . If the ` /.well-known ` request returned an error response, and the
131+ 5 . If the ` /.well-known ` request returned an error response, and the
132132 SRV record was not found, an IP address is resolved using AAAA and A
133133 records. Requests are made to the resolved IP address using port
134134 8448 and a ` Host ` header containing the ` <hostname> ` . The target
@@ -137,6 +137,7 @@ to send. The process overall is as follows:
137137{{% boxes/note %}}
138138The reasons we require ` <hostname> ` rather than ` <delegated_hostname> ` for SRV
139139delegation are:
140+
140141 1 . DNS is insecure (not all domains have DNSSEC), so the target of the delegation
141142 must prove that it is a valid delegate for ` <hostname> ` via TLS.
142143 2 . Consistency with the recommendations in [ RFC6125] ( https://datatracker.ietf.org/doc/html/rfc6125#section-6.2.1 )
@@ -356,17 +357,17 @@ specification](/rooms).
356357Whenever a server receives an event from a remote server, the receiving
357358server must ensure that the event:
358359
359- 1 . Is a valid event, otherwise it is dropped. For an event to be valid, it
360+ 1 . Is a valid event, otherwise it is dropped. For an event to be valid, it
360361 must contain a ` room_id ` , and it must comply with the event format of
361362 that [ room version] ( /rooms ) .
362- 2 . Passes signature checks, otherwise it is dropped.
363- 3 . Passes hash checks, otherwise it is redacted before being processed
363+ 2 . Passes signature checks, otherwise it is dropped.
364+ 3 . Passes hash checks, otherwise it is redacted before being processed
364365 further.
365- 4 . Passes authorization rules based on the event's auth events,
366+ 4 . Passes authorization rules based on the event's auth events,
366367 otherwise it is rejected.
367- 5 . Passes authorization rules based on the state before the event,
368+ 5 . Passes authorization rules based on the state before the event,
368369 otherwise it is rejected.
369- 6 . Passes authorization rules based on the current state of the room,
370+ 6 . Passes authorization rules based on the current state of the room,
370371 otherwise it is "soft failed".
371372
372373Further details of these checks, and how to handle failures, are
@@ -394,6 +395,25 @@ unspecified.
394395For an ` m.room.member ` state event, the user given by the ` state_key ` of
395396the event.
396397
398+ ** Historical String Power Levels** \
399+
400+ In order to maintain backwards compatibility with early implementations,
401+ power levels can optionally be represented in string format instead of
402+ integer format. A homeserver must be prepared to deal with this by parsing
403+ the power level from a string. In these cases, the following formatting of the
404+ power level string is allowed:
405+
406+ - a single Base10 integer, no float values or decimal points, optionally with leading zeroes;
407+ - optionally with leading or trailing whitespace characters;
408+ - optionally prefixed with a single ` - ` or ` + ` character before the integer but after leading whitespace padding.
409+
410+ {{% boxes/warning %}}
411+ This behaviour is preserved strictly for backward compatibility only. A
412+ homeserver should take reasonable precautions to prevent users from
413+ sending new power level events with string values and must never
414+ populate the default power levels in a room as string values.
415+ {{% /boxes/warning %}}
416+
397417#### Authorization rules
398418
399419The rules governing whether an event is authorized depends on a set of
@@ -418,14 +438,14 @@ the following subset of the room state:
418438
419439- If type is ` m.room.member ` :
420440
421- - The target's current ` m.room.member ` event, if any.
422- - If ` membership ` is ` join ` or ` invite ` , the current
441+ - The target's current ` m.room.member ` event, if any.
442+ - If ` membership ` is ` join ` or ` invite ` , the current
423443 ` m.room.join_rules ` event, if any.
424- - If membership is ` invite ` and ` content ` contains a
444+ - If membership is ` invite ` and ` content ` contains a
425445 ` third_party_invite ` property, the current
426446 ` m.room.third_party_invite ` event with ` state_key ` matching
427447 ` content.third_party_invite.signed.token ` , if any.
428- - If ` content.join_authorised_via_users_server ` is present,
448+ - If ` content.join_authorised_via_users_server ` is present,
429449 and the [ room version supports restricted rooms] ( /rooms/#feature-matrix ) ,
430450 then the ` m.room.member ` event with ` state_key ` matching
431451 ` content.join_authorised_via_users_server ` .
@@ -1101,22 +1121,22 @@ of `M_FORBIDDEN`.
11011121
11021122The following endpoint prefixes MUST be protected:
11031123
1104- - ` /_matrix/federation/v1/send ` (on a per-PDU basis)
1105- - ` /_matrix/federation/v1/make_join `
1106- - ` /_matrix/federation/v1/make_leave `
1107- - ` /_matrix/federation/v1/send_join `
1108- - ` /_matrix/federation/v2/send_join `
1109- - ` /_matrix/federation/v1/send_leave `
1110- - ` /_matrix/federation/v2/send_leave `
1111- - ` /_matrix/federation/v1/invite `
1112- - ` /_matrix/federation/v2/invite `
1113- - ` /_matrix/federation/v1/make_knock `
1114- - ` /_matrix/federation/v1/send_knock `
1115- - ` /_matrix/federation/v1/state `
1116- - ` /_matrix/federation/v1/state_ids `
1117- - ` /_matrix/federation/v1/backfill `
1118- - ` /_matrix/federation/v1/event_auth `
1119- - ` /_matrix/federation/v1/get_missing_events `
1124+ - ` /_matrix/federation/v1/send ` (on a per-PDU basis)
1125+ - ` /_matrix/federation/v1/make_join `
1126+ - ` /_matrix/federation/v1/make_leave `
1127+ - ` /_matrix/federation/v1/send_join `
1128+ - ` /_matrix/federation/v2/send_join `
1129+ - ` /_matrix/federation/v1/send_leave `
1130+ - ` /_matrix/federation/v2/send_leave `
1131+ - ` /_matrix/federation/v1/invite `
1132+ - ` /_matrix/federation/v2/invite `
1133+ - ` /_matrix/federation/v1/make_knock `
1134+ - ` /_matrix/federation/v1/send_knock `
1135+ - ` /_matrix/federation/v1/state `
1136+ - ` /_matrix/federation/v1/state_ids `
1137+ - ` /_matrix/federation/v1/backfill `
1138+ - ` /_matrix/federation/v1/event_auth `
1139+ - ` /_matrix/federation/v1/get_missing_events `
11201140
11211141## Signing Events
11221142
@@ -1157,11 +1177,11 @@ redacted copy.
11571177
11581178The signatures expected on an event are:
11591179
1160- - The ` sender ` 's server, unless the invite was created as a result of
1180+ - The ` sender ` 's server, unless the invite was created as a result of
11611181 3rd party invite. The sender must already match the 3rd party
11621182 invite, and the server which actually sends the event may be a
11631183 different server.
1164- - For room versions 1 and 2, the server which created the ` event_id ` .
1184+ - For room versions 1 and 2, the server which created the ` event_id ` .
11651185 Other room versions do not track the ` event_id ` over federation and
11661186 therefore do not need a signature from those servers.
11671187
@@ -1183,12 +1203,12 @@ some room versions. See the [room version
11831203specification] ( /rooms ) for more information. It is
11841204calculated as follows.
11851205
1186- 1 . The event is put through the redaction algorithm.
1187- 2 . The ` signatures ` , ` age_ts ` , and ` unsigned ` properties are removed
1206+ 1 . The event is put through the redaction algorithm.
1207+ 2 . The ` signatures ` , ` age_ts ` , and ` unsigned ` properties are removed
11881208 from the event, if present.
1189- 3 . The event is converted into [ Canonical
1209+ 3 . The event is converted into [ Canonical
11901210 JSON] ( /appendices#canonical-json ) .
1191- 4 . A sha256 hash is calculated on the resulting JSON object.
1211+ 4 . A sha256 hash is calculated on the resulting JSON object.
11921212
11931213### Calculating the content hash for an event
11941214
0 commit comments