Please don't forget about the hybrid approach -- API supports FauxRequests
- so an API call can be made without doing a web call, but an internal one
instead, without any json or startup overhead:
On Wed, Feb 6, 2013 at 2:08 PM, Gabriel Wicke <gwicke(a)wikimedia.org> wrote:
On 02/06/2013 10:49 AM, Chris Steipp wrote:
In general, it seems to me like there will be
more attacks opened up
by having lua open network requests to the api, than there would be by
defining an internal api.
Initially the use case will be providing access to the Wikidata API, not
the MediaWiki API in general. A URL-style API can be opened up to
provide access to some end points in the local MediaWiki API in the
future if those are indeed safe, but I agree that we should be careful
about this. Those local end points could also be handled as local method
calls instead of actually performing an HTTP request.
But if that turns out to be the best way to
handle it, then we'll just need to spend the time making sure it's
done in a safe way.
Agreed. If we started out restricted to the Wikidata API only, the
initial effort to verify safety should be quite manageable though.
Additional URL-based APIs would need to be vetted before being
whitelisted, but would not require a new Lua API.
Gabriel
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l