Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MSC4095: Bundled URL previews #4095

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
97 changes: 97 additions & 0 deletions proposals/4095-bundled-url-previews.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
# Bundled URL previews
Currently, URL previews in Matrix are generated on the server when requested by
a client using the [`/_matrix/media/v3/preview_url`](https://spec.matrix.org/v1.9/client-server-api/#get_matrixmediav3preview_url)
endpoint. This is a relatively good approach, but a major downside is that the
user's homeserver gets all links the user's client wants to show a preview for,
which means using it in encrypted rooms will effectively leak parts of messages.

## Proposal
The proposed solution is allowing clients to bundle URL preview metadata inside
events.

A new field called `m.url_previews` is added. The field is an array of objects,
tulir marked this conversation as resolved.
Show resolved Hide resolved
where each object contains OpenGraph data representing a single URL to preview,
similar to what the `/preview_url` endpoint currently returns:

* `matrix:matched_url` - The URL that is present in `body` and triggered this preview
to be generated. This is optional and should be omitted if the link isn't
present in the body.
* `matrix:image:encryption` - An [EncryptedFile](https://spec.matrix.org/v1.9/client-server-api/#extensions-to-mroommessage-msgtypes)
object for encrypted thumbnail images. Similar to encrypted image messages,
the URL is inside this object, and not in `og:image`.
* `matrix:image:size` - The byte size of the image, like in `/preview_url`.
* `og:image` - An `mxc://` URI for unencrypted images, like in `/preview_url`.
* `og:url` - Standard OpenGraph tag for the canonical URL of the previewed page.
* Any other standard OpenGraph tags.

At least one of `matrix:matched_url` and `og:url` MUST be present. All other
tulir marked this conversation as resolved.
Show resolved Hide resolved
fields are optional.

tulir marked this conversation as resolved.
Show resolved Hide resolved
### Client behavior
#### Sending preview data
When sending previews to encrypted rooms, clients should encrypt preview images
and put them in the `matrix:image:encryption` field. Other `og:image:*` and the
`matrix:image:size` field can still be used for image metadata, but the
`og:image` field should be omitted for encrypted thumbnails.

If clients use the `/preview_url` endpoint as a helper for generating preview
data, they should reupload the thumbnail image (if there is one) to create a
persistent `mxc://` URI, as well as encrypt it if applicable.

#### Receiving messages with `m.url_previews`
If an object in the list contains only `matrix:matched_url` and no other fields,
tulir marked this conversation as resolved.
Show resolved Hide resolved
receiving clients should fall back to the old behavior of requesting a preview
using `/preview_url`. Clients may also choose to ignore bundled data and ask
the homeserver for a preview even if bundled data is present.

Clients should not search the `body` field for URLs if the `m.url_previews`
field is present, even if they fall back to the old behavior of requesting
preview data from the homeserver. Conversely, if the field is not present,
clients should fall back to the searching behavior.

The two above points effectively make this an alternative for
[MSC2385](https://github.com/matrix-org/matrix-spec-proposals/pull/2385).

## Potential issues
### Fake preview data
The message sender can fake previews quite trivially. This is considered an
acceptable compromise to achieve non-leaking URL previews in encrypted rooms.

Clients may choose to ignore embedded preview data in unencrypted rooms and
always use the `/preview_url` endpoint.
tulir marked this conversation as resolved.
Show resolved Hide resolved

### More image uploads
Currently previews are generated by the server, which lets the server apply
caching and delete thumbnail images quickly. If the data was embedded in events
instead, the server would not be able to clean up images the same way.

### Web clients
Web clients likely can't generate previews themselves due to CORS and other
such protections.

Clients could use the existing URL preview endpoint to generate a preview and
bundle that data in events, which has the benefit of only leaking the link to
one homeserver (the sender's) instead of all servers. When doing this, clients
would have to download the preview image and reupload it to get a persistent
`mxc://` URI, and possibly encrypt it before uploading.
tulir marked this conversation as resolved.
Show resolved Hide resolved

Alternatively, clients could simply not include preview data at all and have
receiving clients fall back to the old behavior (meaning no previews in
encrypted rooms unless the receiver opts in).

### Security considerations
Fake preview data as covered in potential issues.
tulir marked this conversation as resolved.
Show resolved Hide resolved

## Alternatives
tulir marked this conversation as resolved.
Show resolved Hide resolved
tulir marked this conversation as resolved.
Show resolved Hide resolved
### Different generation methods
Previews could be generated by the receiving client, which both doesn't leak
links to the user's homeserver, and prevents fake previews. However, this would
leak the user's IP address to all links they receive, so it is not an
acceptable solution.

## Unstable prefix
Until this MSC is accepted, implementations should apply the following renames:

* `com.beeper.linkpreviews` instead of `m.url_previews`
* `beeper:image:encryption` instead of `matrix:image:encryption`
* `matched_url` instead of `matrix:matched_url`
tulir marked this conversation as resolved.
Show resolved Hide resolved
Loading