[Cubicweb] annotating divs with rql and vid

aurélien campéas aurelien.campeas at gmail.com
Fri May 25 10:20:18 CEST 2012


2012/5/25 Nicolas Chauvat <nicolas.chauvat at logilab.fr>

> On Thu, May 24, 2012 at 09:39:24PM +0200, Sylvain Thénault wrote:
> > > 2/ IMHO the direction the web is going is "write client-based apps in
> > > the browser with js and query data backend with sparql". We have RQL
> > > and js already, let's not move back to the standard API-based design
> > > where everything must have a URL known by the developer.
> >
> > This is also a core point that will further drive the discussion. Do we
> > want to be able to run sites with rql input disabled? IMO we've already
> > built a bunch of sites where the answer is definitly yes. And I think
> > we'll have to build some others. Toying with CW has a price...
>
> What would you say were the reasons to disable rql input?
>

Suppress potentially trivial & huge denial of service attacks.


>
> > * what can't we have by disabling rql input, beside allowing user to type
> >   arbitrary rql?
>
> And the answer is ?
>
> > * if we decide rql input is the future, then we should not delay anymore
> >   working on related security concerns.
>
> What are the security issues you think about? The security of several
> sites in production was tested by third parties that did not find
> breaches.
>

Security is one thing, denial of service is another. They are sometimes
conflated.
If we want to expose the full database to anyone, let's do it but not by
default, and let's think seriously about caching and rate limiting features
before ....
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cubicweb.org/pipermail/cubicweb/attachments/20120525/cd783923/attachment-0186.html>


More information about the Cubicweb mailing list