From e836057e61d8d97e01a36877b46b8deb15a59037 Mon Sep 17 00:00:00 2001
From: Tom Foster <tom@tcpip.uk>
Date: Sun, 9 Jun 2024 11:44:15 +0100
Subject: [PATCH] Federation endpoint is only for users based on that server

---
 proposals/4133-extended-profiles.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/proposals/4133-extended-profiles.md b/proposals/4133-extended-profiles.md
index 1ef3077aa65..cc235c539be 100644
--- a/proposals/4133-extended-profiles.md
+++ b/proposals/4133-extended-profiles.md
@@ -96,7 +96,9 @@ member events.
 ### Server-Server API Changes
 
 1. **GET `/_matrix/federation/v1/query/profile/{userId}/{key_name}`** will mirror the client-server
-   API changes to ensure profile information is consistently available across the federated network.
+   API changes to ensure profile information is consistently available across the federated
+   network. This endpoint must only accept requests for local users on the current homeserver, and
+   homeservers must only request a profile from the homeserver specified in that user's MXID.
 
 ### Capabilities