Matrix/element-web
Matrix/element-web
1
0
Fork 0
mirror of https://github.com/vector-im/element-web.git synced 2024-10-05 11:22:40 +00:00
Code Issues Projects Releases Packages Wiki Activity

warn people to put their Matrix HS on a separate domain

Browse source
This commit is contained in:
Matthew Hodgson 2016-08-27 00:13:20 +01:00
parent 2199fe5cbf
commit efc5462131
1 changed files with 13 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
README.md
View file

@ -20,6 +20,19 @@ of Vector:
as desired. See below for details.
1. Enter the URL into your browser and log into vector!
Important Security Note
=======================
We do not recommend running Vector from the same domain name as your Matrix
homeserver. The reason is the risk of XSS (cross-site-scripting) vulnerabilities
that could occur if someone caused Vector to load and render malicious user generated
content from a Matrix API which then had trusted access to Vector due
to sharing the same domain.
We have put some coarse mitigations into place to try to protect against this situation,
but it's still not good practice to do it in the first place.
See https://github.com/vector-im/vector-web/issues/1977 for more details.
Building From Source
====================