element-web
element-web copied to clipboard
abuse: "via" parameter injected into share url and can't be removed by room admin
Steps to reproduce
- Visit https://app.element.io/#/room/#WebGPU:matrix.org
- Highlight a message and click "Share"
- Copy the URL, get something like
https://matrix.to/#/!MFogdGJfnZLrDmgkBN:matrix.org/$2itkkk9rB5CCFgK_MsuToQsg8Ghl6O8EOJX4fEcgFpI?via=matrix.org&via=mozilla.org&via=matrix.kiwifarms.net
Outcome
What did you expect?
URL should have only via=matrix.org
because the only room address is on matrix.org
.
What happened instead?
URL contains via=matrix.kiwifarms.net
I don't want kiwifarms URLs in my room's share URLs.
Operating system
No response
Browser information
No response
URL for webapp
app.element.io
Application version
Element version: 1.11.5, Olm version: 3.2.12
Homeserver
matrix.org
Will you send logs?
No
FWIW if I share the room itself, there are no via
parameters: https://matrix.to/#/#WebGPU:matrix.org
The via
s are generated as the homeserver of the highest power user in the room, as well as the top two servers ordered by number of users in the room. This is to prevent the link from not working when one of the servers is offline. Aliases have nothing to do with message permalinks which are specced to be based on the room id. You can remove it manually by tweaking the link or banning that server from your room using server ACLs
Thanks for the explanation! That led me to the "workaround" of simply banning the server from my room - which I'd have wanted to do anyway, if I thought of it - and removing the 2 associated users, who have never participated in the chat anyway.
I think banning the server prevents its users from joining my room in the future, but I'm not familiar with the protocol so I'm not exactly sure.
I banned the server via /devtools
using m.room.server_acl
, as described here: https://matrix.org/docs/guides/moderation#banning-servers-from-rooms-server-acls
{
"allow": [
"*"
],
"allow_ip_literals": false,
"deny": [
"matrix.kiwifarms.net"
]
}
Assuming I've understood correctly, this is a solution to the problem I have. I will close this issue, but you can reopen it if you think there's some work that should be done on it.