On Tue, Nov 11, 2008 at 12:22 AM, Chris Anderson <[EMAIL PROTECTED]> wrote:
> On Mon, Nov 10, 2008 at 8:16 PM, Dean Landolt <[EMAIL PROTECTED]> > wrote: > > Are there any other security concerns in that light? > > I've left my instance wide for a few friends to play with -- perhaps I > > should have asked this earlier. > > All I can think of is that we're only as safe as the couchjs sandbox. > Which is probably safe, but you can send arbitrary http requests with > action servers (and even from views if you are psycho) so there's > always the danger of abuse from people who can edit design docs. But if you have access to _utils you have access to design docs -- and there's no way around that until security lands. Oh well, I've always lived dangerously. > > > But yeah, if I squash the unobtrusive thing I'll probably only > > need an action for periodic feed updates > > As long as you don't care about Google or people who haven't updated > their browser in 3 years, there's no reason to be creating dynamic > html. > Good point. Sometimes I can't help but get wrapped up in the minutia of web development fads. That said, designing for base html has absolutely paid back in spades when it comes time to change or extend an app -- it's forced me to be a little less fast and loose with my inline events and a little cleaner with my semantics. > > > I already tried it -- I couldn't help myself. An hour ago all I got was a > > black screen -- now I see some action down below (other than the tweet > form > > everything gets cut off on Firefox Ubuntu Hardy). > > Yeah that's a not very fun failure mode. I should at least put up > "you're not alone" screen for when that happens. I'm still not sure > the cause of it. The Twitter API is a little flaky, so who know's what > role it plays here. To me this seems like another place where an action server may be the best answer. Why let twitter f* with your ui? Why handle every failure and idiosynchrosy in the view code? I guess twitter events can't really *poll -- *I don't know how something like comet would work with couch, but I would imagine it's feasible. I hear nothing but complaints about how broken the twitter API is -- so I say who needs it. Yeah, you need to reach out and grab the updates from the API, and yes, updates ought to be event-driven -- but that doesn't mean your ui has to depend on their brokenness. The *how to fix twitter* conversation is an amusing (and never-ending) meme, but from what I gather, every suggestion worth its salt has one thing in common -- federation. Why can't couch get in on the act -- it's a perfect persistence layer to store a given user's twitters, and with an action server, respond to requests. Sure, post them to the twitter API, but if possible, why not give some indication of how to dereference them for subscribers, especially during an all-too-common outage? > > > > -- > Chris Anderson > http://jchris.mfdz.com >
