On Wed, Feb 6, 2013 at 8:54 AM, Gabriel Wicke gwicke@wikimedia.org wrote:
Local HTTP requests have pretty low overhead (1-2ms), but api.php suffers from high start-up costs (35-40ms). This is more an issue with api.php and the PHP execution model than with HTTP though, and might be improved in the future.
I would vote against local http requests, if we can avoid it. They can certainly be done safely if you design them correctly, but for example, you write a write a lua template, that calls an api that uses the same lua template that calls the api,... single request DoS!
We should definitely pick the design that makes the most sense, but keeping new attack vectors to a minimum would be good.