Element-web: Is installing riot in subdomain of the domain used by synapse a problem?

Created on 9 Sep 2019  路  8Comments  路  Source: vector-im/element-web

In this issue it's explained that you shouldn't run riot with the same domain where synapse is running. I posted this question to get details about it but never got any comment on that, so I thought maybe I can create a proper issue for this question.

The thread mentions (from what I understand) that having Riot and Synapse served in matrix.domain.tld and riot.domain.tld doesn't bring security issues.
I was wondering if the same apply to Synapse serving in domain.tld and riot in riot.domain.tld, since Synapse is then in a parent domain.

Also, it's mentioned that it's better to run Synapse and Riot in different machines (whether physical or virtual).
What are the security implications of running Synapse and Riot on the same machine?

Thanks a lot for the attention :)

picture eauchat

Most helpful comment

I find @Josue-T's question useful and still feel not so clear about this issue.

picture eauchat on 13 Nov 2019
👍8

All 8 comments

This is more a support question for #riot:matrix.org which is why it never got attention on an already closed issue.

t3chguy picture t3chguy on 9 Sep 2019

I could ask it on #riot:matrix.org yep. I asked here because seeing the reactions on my previous comment, it seemed that other people were interested as well.
So I thought it'd be useful to have the answer more widely accessible.

eauchat picture eauchat on 9 Sep 2019

Subdomains are different domains as far as CORS is concerned, however do be cautious about running your homeserver on example.org and riot on riot.example.org

turt2live picture turt2live on 9 Sep 2019
👀1

Thank you for the precision @turt2live.
Any further precision on what means "being cautious" and what are the risks is still very welcome :)

eauchat picture eauchat on 16 Oct 2019

You theoretically can open yourself up to XSS and similar attacks if using the same domain. It's generally considered a very bad practice.

turt2live picture turt2live on 17 Oct 2019

Hello,

And how about this follow configurations:

  • Riot installed on riot.domain_1.tld.
  • Synapse installed on synapse.domain_1.tld.
  • And the username for this synapse instance is user#domain_1.tld. With this following dns registry:
_matrix._tcp.domain_1.tld     3600    IN SRV   10   0   8448   synapse.domain.tld
Josue-T picture Josue-T on 7 Nov 2019
👍3

@Josue-T this is not the place to verify your configuration. Please visit #riot-web:matrix.org or #synapse:matrix.org instead.

turt2live picture turt2live on 7 Nov 2019
👎4 👍1

I find @Josue-T's question useful and still feel not so clear about this issue.

eauchat picture eauchat on 13 Nov 2019
👍8
Was this page helpful?
0 / 5 - 0 ratings

Related issues

richvdh picture richvdh  路  3Comments
niedzielski picture niedzielski  路  3Comments
n-o-o-b picture n-o-o-b  路  3Comments
anoadragon453 picture anoadragon453  路  3Comments
nvbln picture nvbln  路  3Comments