Deprecate and then remove web_client_location

[aaronraimist]

Having Synapse host a web client is a security risk, as mentioned here: https://github.com/matrix-org/synapse#security-note and I doubt many people are still using it. I think you should deprecate the web_client_location option in homeserver.yaml.

It would also close at least one issue: #1250

[aaronraimist]

For sure the option to point it at a path on disk and have it be served from /_matrix/client should be removed. It is possible that people are relying on the redirect to another URL option but I wouldn't think very many people would be using it.

I'm not sure if this would be considered an unspecced API #8334. As far as I know nothing in the spec mentions hosting a client at /_matrix/client.

[clokep]

Thanks for filing this! I kept meaning to file an issue about removing this... leaving the redirect seems safe, but would be simpler to remove it altogether. 🤷

[hex-m]

Is the redirect supposed to work? It can be useful to have a way to point users to the preferred web-client-instance that their homeserver-admin specified.

I would have assumed that https://matrix-client.matrix.org/_matrix/client/ redirects to https://app.element.io but it gives a 404.

[babolivier]

No solution mentioned in this discussion has been implemented yet I'm afraid.

[ptman]

#11763

[clokep]

We had a discussion about this today in #synapse-dev with the conclusion:

• we deprecate non-redirect web_client_location, and the webclient listener, with intention to remove support for it in a release or two.
• in the meantime, we can also make / redirect directly to the web_client_location if it's absolute, rather than bouncing via /_matrix/client

[clokep]

I believe this is now fixed by #11895 -- the webclient listener no longer exists and web_client_location must be a HTTP(S) URL which gets turned into a redirect.