MozillaWiki

Webpagemakerapi: Difference between revisions

Page Discussion

Webpagemakerapi (view source)

Revision as of 19:25, 17 May 2012

559 bytes added ,  17 May 2012
→‎Risk considerations: changed from rel=nofollow to x-robots-tag
(Created page with "= Document Overview = {| |'''Feature/Product:''' || WebPageMaker for Summer Campaign |- |'''Projected Freeze Date:''' || &lt...")
 
(→‎Risk considerations: changed from rel=nofollow to x-robots-tag)
 
(14 intermediate revisions by 3 users not shown)
Line 6: Line 6:
|'''Projected Freeze Date:''' || <Placeholder>
|'''Projected Freeze Date:''' || <Placeholder>
|-
|-
|'''Product Champions:''' || [[User;simonwex|Simon Wex]], [[User:davida|David Ascher]]
|'''Product Champions:''' || [https://mozillians.org/simonwex Simon Wex], [[User:davida|David Ascher]], Michelle Levesque
|-
|-
|'''Privacy Champions:''' ||  
|'''Privacy Champions:''' ||  
Line 16: Line 16:




Timeline:
==Timeline==


|'''WebPageMaker Checkpoint #2"" || ""All production issues (scalability, privacy standards, etc.) have been resolved."" || 20-May-2012 (soon)
{|
|'''WebPageMaker Checkpoint #2''' || All production issues (scalability, privacy standards, etc.) have been resolved. || '''20-May-2012 (*soon*)'''
|}


= Introduction to WebPageMakerAPI's Client -- WebPageMaker =
= Introduction to WebPageMakerAPI's Client -- WebPageMaker =
Line 29: Line 31:
* Easily make a new guided learning experience.  
* Easily make a new guided learning experience.  


For more information on WebPageMaker, see  [[https://etherpad.mozilla.org/webpagemaker-pitch|WebPageMaker for Summer Campaign]]
For more information on WebPageMaker, see  [https://etherpad.mozilla.org/webpagemaker-pitch WebPageMaker for Summer Campaign]


= WebPageMakerAPI Overview =
= WebPageMakerAPI Overview =


The API is a two-endpoint HTTP API that accepts (via POST) HTML documents and serves those documents via a short url. The HTML documents are cleaned by [[http://pypi.python.org/pypi/bleach|Bleach]] before being served.
The API is a two-endpoint HTTP API that accepts (via POST) HTML documents and serves those documents via a short url. The HTML documents are cleaned by [http://pypi.python.org/pypi/bleach Bleach] before being served. [https://github.com/mozilla/playdoh Playdoh] is the planned implementation framework.
 
== API Methods ==
 
These are documented in the [https://github.com/mozilla/webpagemaker/tree/development/webpagemaker/api#readme API README].
 
== Stored Data ==


= API Methods =
End-user created HTML documents are stored in MySQL.


<table>
== Risk considerations ==
  <tr>
 
    <td>Name</td>
{| class="wikitable"
    <td>Endpoint</td>
|-
    <td>HTTP Method</td>
! Risk
    <td>Parameters</td>
! Mitigation Strategy
    <td>Return</td>
|-
</tr>
| Copyrighted work can be stored and distributed through the API
  <tr>
|
    <td>Create Page</td>
* Documents will require DOCTYPE definitions and syntactically correct HTML
    <td>/page</td>
* Documents will be limited to 10,000 characters
    <td>POST</td>
|-
    <td>Raw Post Data (HTML)</td>
| Documents hosted via the API could be used as link farms
    <td>Relative Short URL id (eg. "/ja5bn")</td>
|
  </tr>
* Documents will be delivered with a <code>X-Robots-Tag: noindex, nofollow</code> header.
  <tr>
|-
    <td>Read Page</td>
| Javascript could be used in a multitude of ways to compromise client machines
    <td>/{short url id}</td>
|
    <td>GET</td>
* All Javascript will be stripped using Bleach before it is served
    <td>short url id (in path)</td>
|-
    <td>Sanitized ([[http://pypi.python.org/pypi/bleach|Bleach]])</td>
| Database insertion could be used as a DOS attack vector
  </tr>
|
</table>
* Rate limiting will be implemented along with above size limitations
|}
Varmaa
874

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/421592...432141"