warn people to avoid running a HS media repository on the same domain as another webapp

author: Matthew Hodgson <matthew@matrix.org> 2016-08-27 00:20:13 +0100
committer: Matthew Hodgson <matthew@matrix.org> 2016-08-27 00:20:39 +0100
commit: 5acbe09b6773d003c35d78a08605d70ff40ba365 (patch)
tree: 0773114b2a63281cca02e83d83a114fbc1898c53 /README.rst
parent: Merge pull request #1046 from matrix-org/markjh/direct_to_device (diff)
download: synapse-5acbe09b6773d003c35d78a08605d70ff40ba365.tar.xz
1 files changed, 15 insertions, 0 deletions
diff --git a/README.rst b/README.rst
index 172dd4dfa0..323f5b8db7 100644
--- a/README.rst
+++ b/README.rst
@@ -199,6 +199,21 @@ run (e.g. ``~/.synapse``), and::
     source ./bin/activate
     synctl start
 
+Security Note
+=============
+
+Matrix serves raw user generated data in some APIs - specifically the content
+repository endpoints: http://matrix.org/docs/spec/client_server/r0.2.0.html#get-matrix-media-r0-download-servername-mediaid
+Whilst we have tried to mitigate against possible XSS attacks (e.g.
+https://github.com/matrix-org/synapse/pull/1021) we recommend running
+matrix homeservers on a dedicated domain name, to limit any malicious user generated
+content served to web browsers a matrix API from being able to attack webapps hosted
+on the same domain.  This is particularly true of sharing a matrix webclient and
+server on the same domain.
+
+See https://github.com/vector-im/vector-web/issues/1977 and
+https://developer.github.com/changes/2014-04-25-user-content-security for more details.
+
 Using PostgreSQL
 ================
author	Matthew Hodgson <matthew@matrix.org>	2016-08-27 00:20:13 +0100
committer	Matthew Hodgson <matthew@matrix.org>	2016-08-27 00:20:39 +0100
commit	5acbe09b6773d003c35d78a08605d70ff40ba365 (patch)
tree	0773114b2a63281cca02e83d83a114fbc1898c53 /README.rst
parent	Merge pull request #1046 from matrix-org/markjh/direct_to_device (diff)
download	synapse-5acbe09b6773d003c35d78a08605d70ff40ba365.tar.xz