[Cubicweb] annotating divs with rql and vid

Sylvain Thénault sylvain.thenault at logilab.fr
Fri May 25 10:43:05 CEST 2012


On 25 mai 10:20, aurélien campéas wrote:
> 2012/5/25 Nicolas Chauvat <nicolas.chauvat at logilab.fr>
> 
> > On Thu, May 24, 2012 at 09:39:24PM +0200, Sylvain Thénault wrote:
> > > > 2/ IMHO the direction the web is going is "write client-based apps in
> > > > the browser with js and query data backend with sparql". We have RQL
> > > > and js already, let's not move back to the standard API-based design
> > > > where everything must have a URL known by the developer.
> > >
> > > This is also a core point that will further drive the discussion. Do we
> > > want to be able to run sites with rql input disabled? IMO we've already
> > > built a bunch of sites where the answer is definitly yes. And I think
> > > we'll have to build some others. Toying with CW has a price...
> >
> > What would you say were the reasons to disable rql input?
> 
> Suppress potentially trivial & huge denial of service attacks.
 
Yep, that was what I was thinking about behind the generic "security" term. 

> > > * what can't we have by disabling rql input, beside allowing user to type
> > >   arbitrary rql?
> >
> > And the answer is ?

That was a real question. IMO there is only a few cube/application actually
relying on this and without an easy alternative option (eg eid=1234).

> > > * if we decide rql input is the future, then we should not delay anymore
> > >   working on related security concerns.
> >
> > What are the security issues you think about? The security of several
> > sites in production was tested by third parties that did not find
> > breaches.

LOL
-- 
Sylvain Thénault, LOGILAB, Paris (01.45.32.03.12) - Toulouse (09.54.03.55.76)
Formations Python, Debian, Méth. Agiles: http://www.logilab.fr/formations
Développement logiciel sur mesure:       http://www.logilab.fr/services
CubicWeb, the semantic web framework:    http://www.cubicweb.org



More information about the Cubicweb mailing list