Skip to content
This repository was archived by the owner on Apr 26, 2024. It is now read-only.

Commit 52ee284

Browse files
dkasakdkasak
committed
Revise after review.
1 parent 10ccc2c commit 52ee284

File tree

1 file changed

+27
-6
lines changed

1 file changed

+27
-6
lines changed

README.rst

Lines changed: 27 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -157,15 +157,36 @@ repository endpoints`_.
157157

158158
.. _content repository endpoints: https://matrix.org/docs/spec/client_server/latest.html#get-matrix-media-r0-download-servername-mediaid
159159

160-
Whilst we make a reasonable effort to mitigate against XSS attacks (such as
161-
using `CSP`_), ideally a Matrix homeserver should be hosted on a dedicated
162-
domain name not shared by other web applications. This particularly applies to
163-
sharing the domain with Matrix web clients and other sensitive applications
164-
like webmail.
160+
Whilst we make a reasonable effort to mitigate against XSS attacks (for
161+
instance, by using `CSP`_), a Matrix homeserver should not be hosted on a
162+
domain hosting other web applications. This especially applies to sharing
163+
the domain with Matrix web clients and other sensitive applications like
164+
webmail. See
165+
https://developer.github.com/changes/2014-04-25-user-content-security for more
166+
information.
165167

166168
.. _CSP: https://github.com/matrix-org/synapse/pull/1021
167169

168-
Using a separate domain ensures that even if an XSS is found in Synapse, the
170+
Ideally, the homeserver should not simply be on a different subdomain, but on
171+
a completely different `registered domain`_ (also known as top-level site or
172+
eTLD+1). This is because `some attacks`_ are still possible as long as the two
173+
applications share the same registered domain.
174+
175+
.. _registered domain: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-2.3
176+
177+
.. _some attacks: https://en.wikipedia.org/wiki/Session_fixation#Attacks_using_cross-subdomain_cookie
178+
179+
To illustrate this with an example, if your Element Web or other sensitive web
180+
application is hosted on ``A.example1.com``, you should ideally host Synapse on
181+
``example2.com``. Some amount of protection is offered by hosting on
182+
``B.example1.com`` instead, so this is also acceptable in some scenarios.
183+
However, you should *not* host your Synapse on ``A.example1.com``.
184+
185+
Note that all of the above refers exclusively to the domain used in Synapse's
186+
``public_baseurl`` setting. In particular, it has no bearing on the domain
187+
mentioned in MXIDs hosted on that server.
188+
189+
Following this advice ensures that even if an XSS is found in Synapse, the
169190
impact to other applications will be minimal.
170191

171192

0 commit comments

Comments
 (0)