matrix.org (communication)
-
-
I looked into the possibility of a new try to host Riot and Synapse on the same (sub)domain. Hereβs the reply:
yusf:
Or is there, if itβs decided to host both on same (sub)domain, any method to reduce XSS attack probability?Riot dude:
Basically the attack surface is such that any code which gets executed with access to that subdomain in a browser will have access to that user's matrix access token. So if you run things like synapse or other things on same subdomain and they end up serving malicious code then bad things can happen.It's a very narrow surface, csp can make it even more narrow.
How then to use the CSP setting??
-
Another useful tool to possibly embed in this app package is matrix-corporal, though as an opt-in by default (enabled but void of policy) https://github.com/devture/matrix-corporal
-
just pushed an update for v1.8.0, apparently there were some changes in the config at some point, so when you're using log_file, you might need to remove that in order to be able to start the latest version.
In case it doesn't, jump on a terminal, check if it's actually running (
ps -ax
) and if not, manually launch withgosu www-data python3 -m synapse.app.homeserver --config-path homeserver.yaml
from/app/data/synapse
and check the errormessage. -
@yusf in earlier versions the homeserver.yaml contained a config item
# File to write logging to. Ignored if log_config is specified. log_file: "/run/synapse/homeserver.log"
This got removed by moving it into the log_config itself which is set in
log_config: "/app/data/synapse/..."
- apparently the config for my main matrix server had that still in there because it's rather old and always migrated including this setting. Matrix wouldn't start after the latest update if you had this still enabled so I had to #comment it out be able to start afterwards.@girish sure thing, I'll look into it later today
-
@msbt Thanks for updating the license.
OK, this was stupid. I didn't see that you had a riot app, so I ended up making the front end of my own https://git.cloudron.io/cloudron/riot-web-app . It's pretty much the same as yours except I don't use nginx (I will probably put your nginx code into mine).
I have pushed Riot Web to unstable now.
I will push out your matrix in the next few days. Thanks!