Filip/matrix-spec
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-spec synced 2026-05-16 23:10:43 +02:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Clarify allowed characters in mxc:// URIs (#2377)
Some checks are pending
Spec / 🔎 Validate OpenAPI specifications (push) Waiting to run
Details
Spec / 🔎 Check Event schema examples (push) Waiting to run
Details
Spec / 🔎 Check OpenAPI definitions examples (push) Waiting to run
Details
Spec / 🔎 Check JSON Schemas inline examples (push) Waiting to run
Details
Spec / ⚙️ Calculate baseURL for later jobs (push) Waiting to run
Details
Spec / 🐍 Build OpenAPI definitions (push) Blocked by required conditions
Details
Spec / 📢 Run towncrier for changelog (push) Waiting to run
Details
Spec / 📖 Build the spec (push) Blocked by required conditions
Details
Spec / 🔎 Validate generated HTML (push) Blocked by required conditions
Details
Spec / 📖 Build the historical backup spec (push) Blocked by required conditions
Details
Spec / Create release (push) Blocked by required conditions
Details
Spell Check / Spell Check with Typos (push) Waiting to run
Details

Browse source 
The security considerations section already has this MUST, but people
often don't look that far.

Signed-off-by: Tulir Asokan <tulir@maunium.net>
This commit is contained in:
Tulir Asokan 2026-05-14 00:50:55 +03:00 committed by GitHub
parent 656bf61a3c
commit 684d080f9a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
changelogs/client_server/newsfragments/2377.clarification Normal file
View file

@ -0,0 +1 @@
Clarify allowed characters in `mxc://` URIs.

6
content/client-server-api/modules/content_repo.md
View file

@ -40,6 +40,10 @@ mxc://<server-name>/<media-id>
<media-id> : An opaque ID which identifies the content.
```
The `media-id` segment MUST consist of only alphanumeric (`A-Za-z0-9`), `_` and
`-` characters. See the [security considerations](#content-repo-security-considerations)
section below for more details.
#### Client behaviour {id="content-repo-client-behaviour"}
Clients can access the content repository using the following endpoints.
@ -125,7 +129,7 @@ Servers MUST NOT upscale thumbnails under any circumstance. Servers MUST
NOT return a smaller thumbnail than requested, unless the original
content makes that impossible.
#### Security considerations
#### Security considerations {id="content-repo-security-considerations"}
The HTTP GET endpoint does not require any authentication. Knowing the
URL of the content is sufficient to retrieve the content, even if the