On Tue, Mar 13, 2018 at 5:32 AM, Antoine Pitrou <solip...@pitrou.net> wrote:
> On Tue, 13 Mar 2018 05:03:21 +1100
> Chris Angelico <ros...@gmail.com> wrote:
>> Using the 'secrets' module to generate URLs like this isn't wrong;
>> since these URLs have to be unguessable (you shouldn't be able to type
>> http://metube.example/aaaaac and get someone's secret unlisted video),
>> their identifiers have to be functionally equivalent to session IDs
>> and such. And since advertisers *do* want to put links to their videos
>> onto billboards, QR codes are definitely a thing; and companies won't
>> use metube if its competitor's QR codes can be scanned reliably from
>> two platforms across and ours need to be scanned from right up next to
> Yeah. So people building such a platform can use a custom token
> length. Still, I think it's better to have a future-proof default token
> length. People will know if they need to shorten it for usability
> reasons. However, if we default to shorter tokens, people won't
> know whether they need to ask for a longer length for security reasons.
> "Secure by default, better usability with a simple parameter tweak"
> sounds like a sane API guideline.
Yep, I think we're on the same page here!
Python-ideas mailing list
Code of Conduct: http://python.org/psf/codeofconduct/