Clarify allowed characters in mxc:// URIs

The security considerations section already has this MUST, but people
often don't look that far.

Signed-off-by: Tulir Asokan <tulir@maunium.net>
This commit is contained in:
Tulir Asokan 2026-05-13 18:10:26 +03:00
parent 59b92ce9e6
commit c5a4c0a1c8
2 changed files with 6 additions and 1 deletions

View file

@ -0,0 +1 @@
Clarify allowed characters in `mxc://` URIs.

View file

@ -40,6 +40,10 @@ mxc://<server-name>/<media-id>
<media-id> : An opaque ID which identifies the content. <media-id> : An opaque ID which identifies the content.
``` ```
The `media-id` segment MUST consist of only alphanumeric (`A-Za-z0-9`), `_` and
`-` characters. See the [security considerations](#content-repo-security-considerations)
section below for more details.
#### Client behaviour {id="content-repo-client-behaviour"} #### Client behaviour {id="content-repo-client-behaviour"}
Clients can access the content repository using the following endpoints. Clients can access the content repository using the following endpoints.
@ -125,7 +129,7 @@ Servers MUST NOT upscale thumbnails under any circumstance. Servers MUST
NOT return a smaller thumbnail than requested, unless the original NOT return a smaller thumbnail than requested, unless the original
content makes that impossible. content makes that impossible.
#### Security considerations #### Security considerations {id="content-repo-security-considerations"}
The HTTP GET endpoint does not require any authentication. Knowing the The HTTP GET endpoint does not require any authentication. Knowing the
URL of the content is sufficient to retrieve the content, even if the URL of the content is sufficient to retrieve the content, even if the