MSC3916 introduced new endpoints which require clients to provide a valid access token in order to access media. The MSC failed to specify guest access requirements for the new endpoints.
This MSC specifies the missing guest access requirements on the new endpoints.
The following endpoints explicitly permit guest access, joining the list of other endpoints already in the specification:
GET /_matrix/client/v1/media/download/{serverName}/{mediaId}GET /_matrix/client/v1/media/download/{serverName}/{mediaId}/{fileName}GET /_matrix/client/v1/media/thumbnail/{serverName}/{mediaId}
The rationale for the above endpoints is that being able to see events without the associated media isn't very useful.
For clarity, the following endpoints are not added to the guest access list, as their prior (now deprecated) versions are not already included. A future MSC may change this with sufficient rationale. Note that guests cannot currently upload files, but can send messages/events.
This MSC fixes an issue where guests cannot download images/files.
None applicable.
This MSC does not materially increase the threat profile for guests: guests could already download media using the unauthenticated endpoints.
Prefixed endpoints are excessive for this MSC. Implementations can enable guest access on the existing
endpoints safely, or continue to respond with "guest access forbidden" errors. No /versions flag
is specified for feature detection: clients with guest access tokens should expect failure until a
server advertises a specification version containing this MSC. Clients should continue trying to make
requests for the best user experience.
This MSC has no dependencies.