MSC2385: Disable URL Previews, alternative method #2385
Conversation
|
Other potential issue: naughty clients could add some urls in |
Further on, please comment on a specific line of text so that discussions could be tracked more easily. As per your concern - as far as I see, the MSC states that URLs in |
As stated in the MSC, |
|
Honestly I kinda like the potential to hint clients to render "previews" for links not present in the message. I believe facebook does this, where you can paste in a link, get a preview, remove the link and then just comment on the link being shared. essentially turning the preview into more of a "rich link" part of the message. |
Yes, but what if it's not the case? Anyway, maybe the pb is to avoid rendering useless url preview in the timeline, so maybe the solution is to stop displaying url preview in the timeline and display the preview in a popup when the link is hovered or when the link is clicked (the same way Google docs do it for instance). |
It is supposed to be ignored, as stated in the MSC
|
I would absolutely prefer such behaviour to be in a separate MSC. Matrix operates in a very different realm than Facebook; I could imagine such behaviour as somewhat natural in Mastodon but not in Matrix. |
|
| This proposal adds a new, optional key to `m.room.message` messages, named `url_previews`. It is an | ||
| array of strings containing the URLs a preview should be given to. If this key is absent, it is expected | ||
| that the client gives URL previews for all URLs present in the message body. If a URL is present in this key that is *not* | ||
| present in the body clients SHOULD NOT render a preview for that URL. |
There was a problem hiding this comment.
in the body or formatted body?
There was a problem hiding this comment.
(answering this may lead to further questions and concerns)
There was a problem hiding this comment.
since all links in the formatted_body should be present in the body and vice-versa (as the body is a plain-text fallback) this should only matter for those messages that actively disobey that.
That being said, it seem to make most sense to use the links in whichever the client uses to render: if it renders formatted stuffs the formatted_body, if it renders plaintext the body
There was a problem hiding this comment.
right, so the concern here would be that you can make a very convincing phishing attack: if it uses URLs only from body, your formatted body can be <a href="https://scam.com">https://example.org</a> with url_previews for https://example.org. Likewise, if it only looks at formatted bodies then the same attack can be applied.
Currently at least, clients will (or should) be showing a URL preview for the href rather than the text.
There was a problem hiding this comment.
If a client uses body (including URLs in it, naturally) to render the message then formatted_body is irrelevant, whichever URLs it contains, and vice versa. url_previews is only used as a whitelist for URLs in whichever body the client renders. I don't quite see the surface for a phishing attack here: what you see is what you get, with a caveat that an unsuppressed URL preview for a phishy URL in formatted_body may help revealing the attack (at the very least, it won't conceal the attack), whereas if an attacker suppreses the URL preview then it's up to the user to check where that URL leads to before following it.
There was a problem hiding this comment.
Sure, it's the responsibility of the user to check links before they click but in practice we shouldn't be designing into the protocol a requirement for people to do that.
The attack is quite literally:
{
"body": "https://example.org",
"format": "org.matrix.custom.html",
"formatted_body": "<a href="https://phishing.example.org">https://example.org</a>",
"url_previews": ["https://example.org"]
}Which clients that don't read the spec to the letter would render as:
Example Domain
This is an example domain.
Instead, we could be better at protecting users from badly written clients and from having to be more responsible than us.
There was a problem hiding this comment.
The fix for that is equally as trivial: As the client uses formatted_body to figure out URL previews, it is expected to figure out that the stuff in the href of the <a> tag should give the preview - not its content
There was a problem hiding this comment.
Maybe it would be more clear if it was specified like the following:
A client may chose to provide URL previews for the user. For each link the client finds in the message the client must consult the
url_previewsattribute. Ifurl_previewsis absent all URLs are allowed to be previewed, otherwise if the attribute is a list contacting the link URL, the URL is present for previewing.
So it is clear that the client must not read url_previews and search for the URL in the body, but instead if in the process of rendering the body it finds a link it should consult url_previews. In your example the client would never consider https://example.org a link and therefore would never be eligible for a preview whether or not url_previews was absent or ["https://example.org"]
The consequence is that putting arbitrary URLs into url_previews accomplishes nothing unless the URL is actually going to be treated as a link by the client.
|
This could help with clients exempting urls from the array by (for example) surrounding those urls with |
| ## Proposal | ||
| This proposal adds a new, optional key to `m.room.message` messages, named `url_previews`. It is an | ||
| array of strings containing the URLs a preview should be given to. If this key is absent, it is expected | ||
| that the client gives URL previews for all URLs present in the message body. If a URL is present in this key that is *not* |
There was a problem hiding this comment.
We can't expect that clients give URL previews as this could be a security problem. We should say that clients MAY provide previews for all URLs in the body.
There was a problem hiding this comment.
Good point. Also FYI url previews are proxied through your homeserver, so you don't actually have any security problem when generating those.
There was a problem hiding this comment.
However, there is a problem: WWW URLs may return different things depending on other log-ins and the like, so the sender and the homeserver of the sender may not see the same content.
There was a problem hiding this comment.
https://matrix.org/docs/spec/client_server/r0.6.1#get-matrix-media-r0-preview-url discussion on that is beyond this MSC. The top comment suggests to use "may" instead of "it is expected", which soru will incorporate into this MSC
There was a problem hiding this comment.
But it reveals the URL to the home server. You can imagine a case where a malicious user sends an illegal url so that a user may get in trouble if the honeservers logs are checked. I agree it isn't the worst privacy flaw but I think it is worth letting clients make the choice and provide users with options rather than writing this section like it is expected.
There was a problem hiding this comment.
The top comment suggests to use "may" instead of "it is expected", which soru will incorporate into this MSC
use "may" instead of "it is expected"
may means the clients still have a choice.
this MSC does not add any new locations where clients should display url previews, it is about limiting it in some messages. "Disable URL Previews".
Also there is a reason element disables URL previews in e2ee rooms by default.
There was a problem hiding this comment.
I like that. I think it makes sense to focus on disallowing certain previews in this MSC and not sound like we are requiring any previews where they weren't required previously.
|
|
||
| Instead of a whitelist there could also be a blacklist of URLs. However, as the likely scenario is a | ||
| bot wanting to surpress all the previews for its URLs sent it seems like a whitelist is more appropriate | ||
| here. |
There was a problem hiding this comment.
A whitelist also nicely prevents clients from parsing things that were not intended to be URLs and trying to preview them. Should mostly be relevant for text as html has a precise notion of what a link is but still nice to have.
| This proposal adds a new, optional key to `m.room.message` messages, named `url_previews`. It is an | ||
| array of strings containing the URLs a preview should be given to. If this key is absent, it is expected | ||
| that the client gives URL previews for all URLs present in the message body. If a URL is present in this key that is *not* | ||
| present in the body clients SHOULD NOT render a preview for that URL. |
There was a problem hiding this comment.
Maybe it would be more clear if it was specified like the following:
A client may chose to provide URL previews for the user. For each link the client finds in the message the client must consult the
url_previewsattribute. Ifurl_previewsis absent all URLs are allowed to be previewed, otherwise if the attribute is a list contacting the link URL, the URL is present for previewing.
So it is clear that the client must not read url_previews and search for the URL in the body, but instead if in the process of rendering the body it finds a link it should consult url_previews. In your example the client would never consider https://example.org a link and therefore would never be eligible for a preview whether or not url_previews was absent or ["https://example.org"]
The consequence is that putting arbitrary URLs into url_previews accomplishes nothing unless the URL is actually going to be treated as a link by the client.
| ## Potential issues | ||
| URLs that should have a preview need to be sent twice - once in the body, once in `url_previews`. As | ||
| this feature is meant for bots, normal human clients would probably omit `url_previews` alltogether, | ||
| resulting in all URLs sent from them having a preview. |
There was a problem hiding this comment.
I see no reason a client can't display a list of links that it detects and allow the user to disable previews for some or all of them.
There was a problem hiding this comment.
I must have missed this paragraph earlier. I agree that I don't see any reason why this should be intended mainly for bots and not for humans. There have been several occasions where I've typed a link and not wanted to have a preview because it causes extra noise (not just for rickrolling).
There was a problem hiding this comment.
I, as a human, would have use for this every once in a while. Implementation examples of UI for this have been mentioned earlier (facebook, ...). I don't know if it should be added to the MSC, but since the point is to not send certain URLs to the HS, the sending UX should be constructed in such a way that, if at all, it is the client which generates the preview so that you can then decide to include it or not. The reasoning being that the sending user has (99% likely) already visited that URL and, if privacy is a concern, taken appropriate measures.
|
|
||
| ## Potential issues | ||
| URLs that should have a preview need to be sent twice - once in the body, once in `url_previews`. As | ||
| this feature is meant for bots, normal human clients would probably omit `url_previews` alltogether, |
There was a problem hiding this comment.
| this feature is meant for bots, normal human clients would probably omit `url_previews` alltogether, | |
| this feature is meant for bots, normal human clients would probably omit `url_previews` altogether, |
... because English is weird.
turt2live
added
the
needs-implementation
|
I was going to open issue about this then I found this MSC! Thanks for good ideas guys ;) |
|
@Sorunome hello! If you don't have the time to respond to feedback on this MSC, you be willing to allow me to shepherd it? |
|
This was added to the "Needs idea feedback" column on the SCT backlog board as I thought it could use a more recent review from a SCT member. But in hindsight, this is mostly ready, and is just blocked on closing the existing threads of discussion. So... taking off the board again until that's done. |
I have received a "yes" out of band. |
|
#4095 is an alternative for this, with the extra functionality of being able to bundle preview data (the bundling isn't mandatory though) |
Rendered
This MSC provides an alternative method to MSC2376
Shepherd: @anoadragon453
Signed-off-by: Sorunome [email protected]