On 02/06/2013 10:49 AM, Chris Steipp wrote: > In general, it seems to me like there will be more attacks opened up > by having lua open network requests to the api, than there would be by > defining an internal api.
Initially the use case will be providing access to the Wikidata API, not the MediaWiki API in general. A URL-style API can be opened up to provide access to some end points in the local MediaWiki API in the future if those are indeed safe, but I agree that we should be careful about this. Those local end points could also be handled as local method calls instead of actually performing an HTTP request. > But if that turns out to be the best way to > handle it, then we'll just need to spend the time making sure it's > done in a safe way. Agreed. If we started out restricted to the Wikidata API only, the initial effort to verify safety should be quite manageable though. Additional URL-based APIs would need to be vetted before being whitelisted, but would not require a new Lua API. Gabriel _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
