Excerpts from Sam Mason's message of mar nov 09 08:06:12 -0300 2010: > On Mon, Nov 08, 2010 at 12:55:22PM -0300, Alvaro Herrera wrote: > > Excerpts from Charles Pritchard's message of sáb nov 06 23:20:13 -0300 2010: > > > > > Simple async sql sub-set (the spec in trouble): > > > http://dev.w3.org/html5/webdatabase/ > > > > This is insane. This spec allows the server to run arbitrary SQL > > commands on the client, AFAICT. That seems like infinite joy for > > malicious people running webservers. The more powerful the dialect of > > SQL the client implements, the more dangerous it is. > > How is this different from the server asking the client to run an > infinite loop in javascript?
So we already failed :-) It seems that being able to kill processes is seen as "good enough" ... well, I guess I just don't visit many malicious sites. And this makes me think that SQLite is indeed the right tool for the job here, and not PostgreSQL. If someone intrudes, it's going to be in the same process running the web browser, not in some server running under another user identity in the machine. That seems like a feature to me, not a bug. -- Álvaro Herrera <alvhe...@commandprompt.com> The PostgreSQL Company - Command Prompt, Inc. PostgreSQL Replication, Consulting, Custom Development, 24x7 support -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
