On Wed, Feb 6, 2013 at 8:54 AM, Gabriel Wicke <gwicke(a)wikimedia.org> wrote:
Local HTTP requests have pretty low overhead (1-2ms),
but api.php
suffers from high start-up costs (35-40ms). This is more an issue with
api.php and the PHP execution model than with HTTP though, and might be
improved in the future.
I would vote against local http requests, if we can avoid it. They can
certainly be done safely if you design them correctly, but for
example, you write a write a lua template, that calls an api that uses
the same lua template that calls the api,... single request DoS!
We should definitely pick the design that makes the most sense, but
keeping new attack vectors to a minimum would be good.