|
| 1 | +# MSC2774: Giving widgets their ID so they can communicate |
| 2 | + |
| 3 | +Under the [current specification](https://github.com/matrix-org/matrix-doc/pull/2764), widgets are |
| 4 | +able to communicate with their client host, however doing so is a bit difficult if they don't already |
| 5 | +know their widget ID. Some widgets will be able to get their ID from another source like an |
| 6 | +integration manager, however this is not the case for all widgets. |
| 7 | + |
| 8 | +[MSC2762](https://github.com/matrix-org/matrix-doc/pull/2762) has a fair amount of background |
| 9 | +information on widgets, as does the current specification linked above. |
| 10 | + |
| 11 | +## Proposal |
| 12 | + |
| 13 | +Currently widgets can expect a `?widgetId` query parameter sent to them in clients like Element, |
| 14 | +however this has some issues and as such is not proposed to exist any further. One of the issues |
| 15 | +is that the widget must retain the query string, which isn't entirely possible for some frontends |
| 16 | +(they would instead prefer to use the fragment). It's also a privacy risk in that by being sent |
| 17 | +through the query string, the server can be made aware of the widget ID. The widget ID doesn't |
| 18 | +normally contain any useful information (it's an opaque string), however it's not required for |
| 19 | +the server to function under typical usage. |
| 20 | + |
| 21 | +The proposal is to introduce a `$matrix_widget_id` template variable for the URL, similar to the |
| 22 | +existing `$matrix_room_id` variable. Widgets can then have their widget ID wherever they want in |
| 23 | +the widget URL, making it easier on them to find and use. |
| 24 | + |
| 25 | +This carries the same risks as a room ID being passed to the widget: the client can easily lie about |
| 26 | +it, however there's no real risk involved in doing so because it's used for communication only. So |
| 27 | +long as the client is able to identify which widget is talking to it, it doesn't really matter. It's |
| 28 | +more of a problem if the client uses a widget ID from another widget as that could confuse the |
| 29 | +client, however this is believed to be a bug. Clients should also be performing origin checks to |
| 30 | +ensure the widget is talking from a sane origin and not somewhere else, like another tab or browser. |
| 31 | + |
| 32 | +## Potential issues |
| 33 | + |
| 34 | +This is not backwards compatible with the history of widgets so far, so clients and widgets will |
| 35 | +need to be modified to support it. Clients which currently use the `?widgetId` parameter are |
| 36 | +encouraged to continue supporting the parameter until sufficient adoption is reached. |
| 37 | + |
| 38 | +## Alternatives |
| 39 | + |
| 40 | +As mentioned, a query parameter could be used, though this has the issues previously covered. Another |
| 41 | +solution might be to allow a single widget API action which has no widget ID solely for the purpose |
| 42 | +of finding the widget ID, however clients are unlikely to be able to differentiate between two widgets |
| 43 | +if this were the case. |
| 44 | + |
| 45 | +Another solution would be to let the widget discover its widget ID by harvesting it out of the first |
| 46 | +widget API request it sees. This can't always be relied upon (some flows require the widget to |
| 47 | +speak first), and as the widget API becomes more capable it could become a security risk. A malicious |
| 48 | +browser extension could spam the widget with fake requests to try and convince it to talk to it |
| 49 | +instead of the client, thus redirecting some information to the wrong place. |
| 50 | + |
| 51 | +## Unstable prefix |
| 52 | + |
| 53 | +Implementations should use `$org.matrix.msc2774_widget_id` as a variable until this lands in a |
| 54 | +released version of the specification. |
0 commit comments