From 60f4e5d61df461bf28dbb90c1e30e7d243bb8c10 Mon Sep 17 00:00:00 2001 From: Johannes Marbach Date: Thu, 12 Feb 2026 13:56:47 +0100 Subject: [PATCH 1/4] Spec for MSC4277: Harmonizing the reporting endpoints Signed-off-by: Johannes Marbach --- .../client_server/newsfragments/2311.feature | 1 + .../client_server/newsfragments/2311.removal | 1 + data/api/client-server/report_content.yaml | 28 +++++++++++++++---- 3 files changed, 24 insertions(+), 6 deletions(-) create mode 100644 changelogs/client_server/newsfragments/2311.feature create mode 100644 changelogs/client_server/newsfragments/2311.removal diff --git a/changelogs/client_server/newsfragments/2311.feature b/changelogs/client_server/newsfragments/2311.feature new file mode 100644 index 00000000..2e484047 --- /dev/null +++ b/changelogs/client_server/newsfragments/2311.feature @@ -0,0 +1 @@ +`/_matrix/client/v3/rooms/{roomId}/report` and `/_matrix/client/v3/rooms/{roomId}/report/{eventId}` may respond with HTTP 200 regardless of the reported subject's existence or add a random delay when generating responses as per [MSC4277](https://github.com/matrix-org/matrix-spec-proposals/pull/4277). diff --git a/changelogs/client_server/newsfragments/2311.removal b/changelogs/client_server/newsfragments/2311.removal new file mode 100644 index 00000000..f632ec46 --- /dev/null +++ b/changelogs/client_server/newsfragments/2311.removal @@ -0,0 +1 @@ +The `score` request parameter on `/_matrix/client/v3/rooms/{roomId}/report/{eventId}` was removed as per [MSC4277](https://github.com/matrix-org/matrix-spec-proposals/pull/4277). diff --git a/data/api/client-server/report_content.yaml b/data/api/client-server/report_content.yaml index 4934ef3f..1412768c 100644 --- a/data/api/client-server/report_content.yaml +++ b/data/api/client-server/report_content.yaml @@ -25,6 +25,15 @@ paths: the appropriate people. How such information is delivered is left up to implementations. The caller is not required to be joined to the room to report it. + + Clients could infer whether a reported room exists based on the 404 response. + Homeservers that wish to conceal this information MAY return 200 responses + regardless of the existence of the reported room. + + Furthermore, it might be possible for clients to deduce whether a reported + room exists by timing the response. This is because only a report for an + existing room will require the homeserver to do further processing. To + combat this, homeservers MAY add a random delay when generating a response. operationId: reportRoom parameters: - in: path @@ -52,6 +61,11 @@ paths: security: - accessTokenQuery: [] - accessTokenBearer: [] + x-changedInMatrixVersion: + 1.18: | + Servers MAY deny room ID enumeration by using the 200 response + regardless of the existence of the reported room and/or by adding + a random delay when generating responses. responses: "200": description: The room has been reported successfully. @@ -91,6 +105,10 @@ paths: the appropriate people. The caller must be joined to the room to report it. + Clients could infer whether a reported event exists based on the 404 response. + Homeservers that wish to conceal this information MAY return 200 responses + regardless of the existence of the reported event. + Furthermore, it might be possible for clients to deduce whether a reported event exists by timing the response. This is because only a report for an existing event will require the homeserver to do further processing. To @@ -117,15 +135,9 @@ paths: schema: type: object example: { - "score": -100, "reason": "this makes me sad" } properties: - score: - type: integer - description: |- - The score to rate this content as where -100 is most offensive - and 0 is inoffensive. reason: type: string description: The reason the content is being reported. @@ -136,6 +148,10 @@ paths: x-changedInMatrixVersion: 1.8: | This endpoint now requires the user to be joined to the room. + 1.18: | + The `score` request parameter was removed. Additionally, servers + may deny event ID enumeration by using the 200 response + regardless of the existence of the reported event. responses: "200": description: The event has been reported successfully. From 8efc54800024552775a3113b75b2eb3fa4f4eca1 Mon Sep 17 00:00:00 2001 From: Johannes Marbach Date: Wed, 25 Feb 2026 11:52:23 +0100 Subject: [PATCH 2/4] deny -> prevent Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> --- data/api/client-server/report_content.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/api/client-server/report_content.yaml b/data/api/client-server/report_content.yaml index 1412768c..3bac04d0 100644 --- a/data/api/client-server/report_content.yaml +++ b/data/api/client-server/report_content.yaml @@ -63,7 +63,7 @@ paths: - accessTokenBearer: [] x-changedInMatrixVersion: 1.18: | - Servers MAY deny room ID enumeration by using the 200 response + Servers MAY prevent room ID enumeration by using the 200 response regardless of the existence of the reported room and/or by adding a random delay when generating responses. responses: From 0eb091576dd90784df52b970b6eacaa16c4fc3fa Mon Sep 17 00:00:00 2001 From: Johannes Marbach Date: Wed, 25 Feb 2026 11:52:47 +0100 Subject: [PATCH 3/4] deny -> prevent Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> --- data/api/client-server/report_content.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/api/client-server/report_content.yaml b/data/api/client-server/report_content.yaml index 3bac04d0..23a8e5be 100644 --- a/data/api/client-server/report_content.yaml +++ b/data/api/client-server/report_content.yaml @@ -150,7 +150,7 @@ paths: This endpoint now requires the user to be joined to the room. 1.18: | The `score` request parameter was removed. Additionally, servers - may deny event ID enumeration by using the 200 response + may prevent event ID enumeration by using the 200 response regardless of the existence of the reported event. responses: "200": From fd9989820a7f19dadf5d433ce7c9c9432009f543 Mon Sep 17 00:00:00 2001 From: Johannes Marbach Date: Thu, 26 Feb 2026 11:53:32 +0100 Subject: [PATCH 4/4] Allow 200s also for non-existing rooms Signed-off-by: Johannes Marbach --- data/api/client-server/report_content.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/data/api/client-server/report_content.yaml b/data/api/client-server/report_content.yaml index 23a8e5be..fd59c7d1 100644 --- a/data/api/client-server/report_content.yaml +++ b/data/api/client-server/report_content.yaml @@ -105,9 +105,9 @@ paths: the appropriate people. The caller must be joined to the room to report it. - Clients could infer whether a reported event exists based on the 404 response. - Homeservers that wish to conceal this information MAY return 200 responses - regardless of the existence of the reported event. + Clients could infer whether a reported event or room exists based on the 404 + response. Homeservers that wish to conceal this information MAY return 200 + responses regardless of the existence of the reported event or room. Furthermore, it might be possible for clients to deduce whether a reported event exists by timing the response. This is because only a report for an @@ -150,8 +150,8 @@ paths: This endpoint now requires the user to be joined to the room. 1.18: | The `score` request parameter was removed. Additionally, servers - may prevent event ID enumeration by using the 200 response - regardless of the existence of the reported event. + may prevent event/room ID enumeration by using the 200 response + regardless of the existence of the reported event/room. responses: "200": description: The event has been reported successfully.