Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MSC4228: Search Redirection #4228

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Conversation

turt2live
Copy link
Member

Warning

Content Warning: This proposal discusses mechanisms to reduce searches for illegal or harmful content on a homeserver. This proposal links to research which discusses the impact of Child Sexual Abuse Material (CSAM).

Given the sensitive nature of the topic, comments, suggestions, and concerns may be sent directly to the author. It is important that all members of our community contribute to a safe and positive review atmosphere.

The author can be reached on Matrix at @travis:t2l.io or via email at [email protected]. If you prefer to contact the Trust & Safety (T&S) team instead, please email [email protected]. The author is a member of the T&S team, and will ensure a different member of the team reviews [email protected] emails.


Rendered


Disclosure: I am Director of Standards Development at The Matrix.org Foundation C.I.C., Matrix Spec Core Team (SCT) member, employed by Element, and operate the t2bot.io service. This proposal is written and published as a Trust & Safety team member allocated in full to the Foundation.

@turt2live turt2live changed the title MSC: Search Redirection MSC4228: Search Redirection Nov 18, 2024
@turt2live turt2live added proposal A matrix spec change proposal s2s Server-to-Server API (federation) client-server Client-Server API kind:core MSC which is critical to the protocol's success needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. labels Nov 18, 2024
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Implementation requirements:

  • Client
  • Server

@aine-etke
Copy link

This is amazing idea!
We will be glad to implement this MSC in Matrix Rooms Search project, especially because it already does search keywords filtering: https://github.com/etkecc/mrs/blob/main/config.yml.sample#L103

Is there any potential harm to implement 403 on MRS right now, without support from major server and client apps support?

Comment on lines +52 to +54
For the federation endpoint specifically, the local user SHOULD have the remote server's error proxied
straight through to them, however some implementations may prefer to replace the error before serving
it to their users. This can help reduce the potential of remote Cross-Server Scripting (XSS) attacks.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any guidance on when a server may wish to replace it?

Comment on lines +97 to +99
Specific error codes are a potential alternative, however due to the wide variety of illegal material
and jurisdictions, this proposal has determined that a single, generic, error code with specific message
more easily covers the use cases.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This made me think that it was at least adding an error message for illegal content, but I see it is a generic "FORBIDDEN" -- I guess the rationale is that this can be applied for many different cases.

Copy link

@RokeJulianLockhart RokeJulianLockhart Nov 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This made me think that it was at least adding an error message for illegal content, but I see it is a generic "FORBIDDEN" 1

@clokep, implementations like invent.kde.org/network/neochat/-/merge_requests/2023#note_1079171 at least use specific error messages.

Footnotes

  1. github.com/matrix-org/matrix-spec-proposals/pull/4228/files#r1848573512

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant "error code", not "error message" sorry for the confusion.

kdesysadmin pushed a commit to KDE/neochat that referenced this pull request Nov 22, 2024
See matrix-org/matrix-spec-proposals#4228 for details.
Since this is tricky to test without server-side support, I have added a basic implementation
to the mock server in appiumtests/login-server.py

1. Start appiumtests/login-server.py
2. Start neochat with "--test --ignore-ssl-errors" options
3. Open "Explore Rooms"
4. Search for the exact string "forbidden"
5. See new error message provided by server

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have implemented the client side of this MSC in NeoChat: https://invent.kde.org/network/neochat/-/merge_requests/2023 - For now without support for MSC4176

kdesysadmin pushed a commit to KDE/neochat that referenced this pull request Nov 23, 2024
See matrix-org/matrix-spec-proposals#4228 for details.
Since this is tricky to test without server-side support, I have added a basic implementation
to the mock server in appiumtests/login-server.py

1. Start appiumtests/login-server.py
2. Start neochat with "--test --ignore-ssl-errors" options
3. Open "Explore Rooms"
4. Search for the exact string "forbidden"
5. See new error message provided by server
----

A common approach for tackling abuse is to prevent the content from being presented to users in any
way, disincentizing the use of the platform for sharing that particular type of content. The common

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

- disincentizing
+ disincentivizing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
client-server Client-Server API kind:core MSC which is critical to the protocol's success needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. proposal A matrix spec change proposal s2s Server-to-Server API (federation)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants