Edward Z. Yang wrote:
Servers pass a lot of interesting information to the CGI
programs in the form of environment variables (for example,
if you do client cert authentication, that info comes in the
form of an environment variable.) It would be great if
Ur/Web could access that information.
Now, implementing this requires a little bit of cooperation
from the SAPIs, since, for example, FastCGI passes in its
environment variables from the wire, so just calling getenv
doesn't work. But probably a 'getenv : string -> transaction string'
would work reasonably well.
Just exposing the environment variables literally doesn't sound so
appetizing: any [transaction] code would be able to read any environment
variable. There could be sensitive information in there, and it's nice
to be able to run other people's library code without worrying that it
can read sensitive information.
Ur/Web already supports a whitelist of HTTP headers that may be read by
transactions. What do you think of a directive that maps an environment
variable name in as a specific HTTP header? Then the existing mechanism
can do double-duty via a single whitelist.
Another idea would be to create an abstract "capability" type, where a
page handler may always request such a value as a function argument.
State-access functions like header/environment variable reading could
require a value of this type as an argument, so that a page handler
could call other functions without giving them direct access to touch
the request/response context.
I'm inclined to implement both of these ideas.
_______________________________________________
Ur mailing list
[email protected]
http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
