Hi, The ACRA package includes a JavaScript list function[1] which generates an RSS feed. The resultant XML document needs to contain absolute URLs to other documents in the CouchDB instance.
One concern I had with this code is that the generated URLs always use http:. Viewing the linked pages requires logging in with admin rights, so it is better to generate a https: URL when possible. Ideally this would be determined based on whether the RSS feed's URL used http or https. Unfortunately I was not able to find any indication of SSL status in the CouchDB JavaScript docs[2] or in the "req" JSON object. Another concern is that it is using "req.headers.Host" to derive the hostname; this appears to come from the raw HTTP headers. It is not clear to me whether this string is validated/sanitized in 100% of all cases. It might be safer to take this from the server configuration than from the user request. Is there a way to access the URL protocol (http/https) and hostname from JavaScript, similar to the HTTPS and HTTP_HOST environment variables on Apache httpd? [1] https://github.com/ACRA/acra-storage/blob/master/lists/rss.js [2] http://docs.couchdb.org/en/latest/query-server/javascript.html
