Webpagemakerapi: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(→‎Risk considerations: changed from rel=nofollow to x-robots-tag)
 
(9 intermediate revisions by 3 users not shown)
Line 6: Line 6:
|'''Projected Freeze Date:''' || <Placeholder>
|'''Projected Freeze Date:''' || <Placeholder>
|-
|-
|'''Product Champions:''' || [[User;simonwex|Simon Wex]], [[User:davida|David Ascher]]
|'''Product Champions:''' || [https://mozillians.org/simonwex Simon Wex], [[User:davida|David Ascher]], Michelle Levesque
|-
|-
|'''Privacy Champions:''' ||  
|'''Privacy Champions:''' ||  
Line 35: Line 35:
= WebPageMakerAPI Overview =
= WebPageMakerAPI Overview =


The API is a two-endpoint HTTP API that accepts (via POST) HTML documents and serves those documents via a short url. The HTML documents are cleaned by [http://pypi.python.org/pypi/bleach  Bleach] before being served.
The API is a two-endpoint HTTP API that accepts (via POST) HTML documents and serves those documents via a short url. The HTML documents are cleaned by [http://pypi.python.org/pypi/bleach  Bleach] before being served. [https://github.com/mozilla/playdoh Playdoh] is the planned implementation framework.


= API Methods =
== API Methods ==


<table>
These are documented in the [https://github.com/mozilla/webpagemaker/tree/development/webpagemaker/api#readme API README].
  <tr>
 
    <td>Name</td>
== Stored Data ==
    <td>Endpoint</td>
 
    <td>HTTP Method</td>
End-user created HTML documents are stored in MySQL.
    <td>Parameters</td>
 
    <td>Return</td>
== Risk considerations ==
</tr>
 
  <tr>
{| class="wikitable"
    <td>Create Page</td>
|-
    <td>/page</td>
! Risk
    <td>POST</td>
! Mitigation Strategy
    <td>Raw Post Data (HTML)</td>
|-
    <td>Relative Short URL id (eg. "/ja5bn")</td>
| Copyrighted work can be stored and distributed through the API
  </tr>
|
  <tr>
* Documents will require DOCTYPE definitions and syntactically correct HTML
    <td>Read Page</td>
* Documents will be limited to 10,000 characters
    <td>/{short url id}</td>
|-
    <td>GET</td>
| Documents hosted via the API could be used as link farms
    <td>short url id (in path)</td>
|
    <td>Sanitized ([http://pypi.python.org/pypi/bleach Bleach])</td>
* Documents will be delivered with a <code>X-Robots-Tag: noindex, nofollow</code> header.
  </tr>
|-
</table>
| Javascript could be used in a multitude of ways to compromise client machines
|
* All Javascript will be stripped using Bleach before it is served
|-
| Database insertion could be used as a DOS attack vector
|
* Rate limiting will be implemented along with above size limitations
|}

Latest revision as of 19:25, 17 May 2012

Document Overview

Feature/Product: [WebPageMaker for Summer Campaign]
Projected Freeze Date: <Placeholder>
Product Champions: Simon Wex, David Ascher, Michelle Levesque
Privacy Champions:
Security Contact:
Document State:


Timeline

WebPageMaker Checkpoint #2 All production issues (scalability, privacy standards, etc.) have been resolved. 20-May-2012 (*soon*)

Introduction to WebPageMakerAPI's Client -- WebPageMaker

WebPageMakerAPI is a simple API used for persisting and sharing HTML documents by the WebPageMaker Gallery. Building on what's been started with LoveBomb and StoryThing, the Web Page Maker app is designed to let people:

  • Go to make.mozilla.org and make a web page fast.
  • Share what you make in a low friction way (ie. don't need your own hosting).
  • Make something nice based on one of our beautiful remixable templates.
  • Learn web literacy skills by making things following our step-by-step guided learning experiences (which are themselves hackable webpages).
  • Easily make a new guided learning experience.

For more information on WebPageMaker, see WebPageMaker for Summer Campaign

WebPageMakerAPI Overview

The API is a two-endpoint HTTP API that accepts (via POST) HTML documents and serves those documents via a short url. The HTML documents are cleaned by Bleach before being served. Playdoh is the planned implementation framework.

API Methods

These are documented in the API README.

Stored Data

End-user created HTML documents are stored in MySQL.

Risk considerations

Risk Mitigation Strategy
Copyrighted work can be stored and distributed through the API
  • Documents will require DOCTYPE definitions and syntactically correct HTML
  • Documents will be limited to 10,000 characters
Documents hosted via the API could be used as link farms
  • Documents will be delivered with a X-Robots-Tag: noindex, nofollow header.
Javascript could be used in a multitude of ways to compromise client machines
  • All Javascript will be stripped using Bleach before it is served
Database insertion could be used as a DOS attack vector
  • Rate limiting will be implemented along with above size limitations
Retrieved from "https://wiki.allizom.org/index.php?title=Webpagemakerapi&oldid=432141"