Make it crystal clear that you should not run Vector on the same domain as a HS

[ara4n]

And instead your media repo at least should be on a different domain.

[erikjohnston]

Do we also want to add Content-Security-Policy: sandbox headers to responses from media repo?

[azrdev]

I'm interested why you shouldn't do that

[ara4n]

For the same reasons as https://developer.github.com/changes/2014-04-25-user-content-security. We'll ship an updated synapse very shortly (possibly today) with Erik's fix mentioned above to mitigate the risk.

[ara4n]

synapse 0.17.1 shipped with a mitigation for this.

Meanwhile I've pushed matrix-org/synapse@907486e and efc5462 to recommend that people put HSes on their own domain if at all possible.

[ara4n]

This was also mitigated a bit in vector in https://github.com/vector-im/vector-web/commit/d3eccc1d6f7f3e19a39df41f9658d056a7feff04 ftr.

[anatomism]

Is this still something to be aware of:

I run Vector and Synapse on the same server. Both proxied through Nginx. Vector on vector.example.com matrix on matrix.example.com. Headers to prevent XSS active. Should I be physically separating matrix and vector, or are we saying complete full domain difference example1.com and example2.com?

[ara4n]

synapse 0.17.1 makes this much less of a concern, hence not pushing this issue. in general it's good practice to host on separate vhosts anyway, as you are doing. no need for physically separate hosts.

[jooize]

What is best practice? It's not clear to me. “Much less of a concern” doesn't sound like not a concern at all.

[indolering]

What is best practice? It's not clear to me. “Much less of a concern” doesn't sound like not a concern at all.

You are sharing cookies if you share a common root domain, so form submission logic is wacky. But as long as long as the sub-domains are different, the SOP is enforced correctly.

[ara4n]

Best practice is still to run Riot on a separate domain to the homeserver for good hygiene. However, we are not aware of any current attacks caused by sharing domain.

We don't use cookies anywhere so form submission attacks aren't a major concern.

[eauchat]

Hello,

In this thread, you mention (from what I understand) that having Riot and Synapse served in matrix.domain.tld and riot.domain.tld doesn't bring security issues. I was wondering if the same apply to Synapse serving in domain.tld and riot in riot.domain.tld, since Synapse is then in a parent domain.

Also, it's mentioned that it's better to run Synapse and Riot in different machines (wether physical or virtual). What are the security implications of running Synapse and Riot on the same machine?

Thank you :)

[fridtjof]

I am also interested whether this scenario is okay or not from a security standpoint. The whole domain/XSS part of the web is not exactly my strong suit, so I would also appreciate if you clarified this. Thank you :)

[fdrubigny]

Good evening, I'm interested in installing a synapse server and the web element client. I read this thread and I wonder if I install synapse on 1NDD.com and element on subdomain.1NND.com is it Ok or we really have to separate, if we can server on ndd1 and element on ndd2? Thank you in advance for your details. Kind regards.

[jryans]

Please ask support questions like this in Matrix rooms like #element-web:matrix.org.