[WIP] MSC4097: Interactions between media redirection and authentication #4097
Conversation
turt2live
changed the title
turt2live
added
proposal
|
|
||
| **TODO**: This section. | ||
|
|
||
| ## Alternatives |
There was a problem hiding this comment.
Wouldn't having the auth/expiration data in a header instead of the URL fulfill the same purpose (preventing copying links) without the added complexity of an additional layer of encryption?
There was a problem hiding this comment.
CDNs find it difficult to use headers, unfortunately.
There was a problem hiding this comment.
CDNs find it easier to receive a temporary encryption key via a side channel and encrypt media on the fly than just read a header in the request and do some simple hmac check? 🤔 Fastly seems to have a header reading method at least: https://developer.fastly.com/reference/vcl/functions/headers/header-get/
A static per-media key would be easier for the CDN as it wouldn't need to know about encryption at all, and would also have the extra benefit of at-rest encryption, although that wouldn't be opt-in for clients.
There was a problem hiding this comment.
The concern was that headers are slow and might not be compatible with all providers. Will take a look though.
There was a problem hiding this comment.
ftr, Cloudflare and headers don't get along unless you have an Enterprise plan, which affects caching pretty badly.
Rendered
In line with matrix-org/matrix-spec#1700, the following disclosure applies:
I am Director of Standards Development at The Matrix.org Foundation C.I.C., Matrix Spec Core Team (SCT) member, employed by Element, and operate the t2bot.io service. This proposal is written and published under a generic Matrix.org Foundation role following discussions around FOSDEM 2024 regarding CDN usage in Matrix.
Implementation requirements: