Please don't forget about the hybrid approach -- API supports FauxRequests - so an API call can be made without doing a web call, but an internal one instead, without any json or startup overhead:
http://www.mediawiki.org/wiki/API:Calling_internally On Wed, Feb 6, 2013 at 2:08 PM, Gabriel Wicke <gwi...@wikimedia.org> wrote: > On 02/06/2013 10:49 AM, Chris Steipp wrote: > > In general, it seems to me like there will be more attacks opened up > > by having lua open network requests to the api, than there would be by > > defining an internal api. > > Initially the use case will be providing access to the Wikidata API, not > the MediaWiki API in general. A URL-style API can be opened up to > provide access to some end points in the local MediaWiki API in the > future if those are indeed safe, but I agree that we should be careful > about this. Those local end points could also be handled as local method > calls instead of actually performing an HTTP request. > > > But if that turns out to be the best way to > > handle it, then we'll just need to spend the time making sure it's > > done in a safe way. > > Agreed. If we started out restricted to the Wikidata API only, the > initial effort to verify safety should be quite manageable though. > Additional URL-based APIs would need to be vetted before being > whitelisted, but would not require a new Lua API. > > Gabriel > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l