2.6 KiB
MSC4189: Allowing guests to access uploaded media
MSC3916 introduced new endpoints which require clients to provide a valid access token in order to access media. The MSC failed to specify guest access requirements for the new endpoints.
This MSC specifies the missing guest access requirements on the new endpoints.
Proposal
The following endpoints explicitly permit guest access, joining the list of other endpoints already in the specification:
GET /_matrix/client/v1/media/download/{serverName}/{mediaId}GET /_matrix/client/v1/media/download/{serverName}/{mediaId}/{fileName}GET /_matrix/client/v1/media/thumbnail/{serverName}/{mediaId}
The rationale for the above endpoints is that being able to see events without the associated media isn't very useful.
For clarity, the following endpoints are not added to the guest access list, as their prior (now deprecated) versions are not already included. A future MSC may change this with sufficient rationale. Note that guests cannot currently upload files, but can send messages/events.
Potential issues
This MSC fixes an issue where guests cannot download images/files.
Alternatives
None applicable.
Security considerations
This MSC does not materially increase the threat profile for guests: guests could already download media using the unauthenticated endpoints.
Unstable prefix
Prefixed endpoints are excessive for this MSC. Implementations can enable guest access on the existing
endpoints safely, or continue to respond with "guest access forbidden" errors. No /versions flag
is specified for feature detection: clients with guest access tokens should expect failure until a
server advertises a specification version containing this MSC. Clients should continue trying to make
requests for the best user experience.
Dependencies
This MSC has no dependencies.