-
Notifications
You must be signed in to change notification settings - Fork 392
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
MSC4266: Policies in /.well-known/matrix/support
Signed-off-by: Johannes Marbach <[email protected]>
- Loading branch information
Showing
1 changed file
with
82 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,82 @@ | ||
| # MSC4266: Policies in `/.well-known/matrix/support` | ||
|
|
||
| Matrix supports collecting policy consent from users during [account | ||
| registration]. There is, however, no API allowing clients to retrieve the | ||
| policies again at a later point. This requires the user to manually store them | ||
| upon registration to be able to refer to them again. | ||
|
|
||
| Furthermore, some policies, such as the privacy policy, might be relevant for | ||
| users of other homeservers. Again, these users' clients have no way to | ||
| programmatically retrieve the server's policies. | ||
|
|
||
| The present proposal addresses this situation by publishing the policies in the | ||
| server's support document under [`/.well-known/matrix/support`]. | ||
|
|
||
| ## Proposal | ||
|
|
||
| A new optional property `policies` is added to the response of | ||
| [`/.well-known/matrix/support`]. The format is the same one used during | ||
| [registration][account registration]. | ||
|
|
||
| ``` json5 | ||
| { | ||
| "contacts": [ ... ], | ||
| "support_page": ..., | ||
| "policies": { | ||
| "privacy_policy": { | ||
| "en": { | ||
| "name": "Privacy Policy", | ||
| "url": "https://example.org/somewhere/privacy-1.2-en.html" | ||
| }, | ||
| "fr": { | ||
| "name": "Politique de confidentialité", | ||
| "url": "https://example.org/somewhere/privacy-1.2-fr.html" | ||
| }, | ||
| "version": "1.2" | ||
| }, | ||
| "terms_of_service": { | ||
| "en": { | ||
| "name": "Terms of Service", | ||
| "url": "https://example.org/somewhere/terms-1.2-en.html" | ||
| }, | ||
| "fr": { | ||
| "name": "Conditions d'utilisation", | ||
| "url": "https://example.org/somewhere/terms-1.2-fr.html" | ||
| }, | ||
| "version": "1.2" | ||
| } | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| If the request is authenticated, the server SHOULD respond with the latest | ||
| version of the policies that the user consented to. | ||
|
|
||
| ## Potential issues | ||
|
|
||
| None. | ||
|
|
||
| ## Alternatives | ||
|
|
||
| It might be debatable whether policies represent "support" information. Instead | ||
| of repurposing the support document, the policies could also be made available | ||
| via a dedicated endpoint. | ||
|
|
||
| Instead of querying the server, the client could store the policies in the | ||
| user's account data. If [encrypted] this would prevent the server from tampering | ||
| with the policies the user has consented to. This would, however, not allow | ||
| external users to retrieve the policies. | ||
|
|
||
| ## Security considerations | ||
|
|
||
| The server could fake the terms and respond with a version that is different | ||
| from the one the user consented to. | ||
|
|
||
| ## Unstable prefix | ||
|
|
||
| While this proposal is unstable `policies` should be referred to as | ||
| `org.matrix.msc4266.policies`. | ||
|
|
||
| [account registration]: https://spec.matrix.org/v1.13/client-server-api/#terms-of-service-at-registration | ||
| [`/.well-known/matrix/support`]: https://spec.matrix.org/v1.13/client-server-api/#getwell-knownmatrixsupport | ||
| [encrypted]: https://spec.matrix.org/v1.13/client-server-api/#secret-storage |