Return-Path: Delivered-To: apmail-incubator-couchdb-user-archive@locus.apache.org Received: (qmail 43326 invoked from network); 11 Nov 2008 05:23:33 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 11 Nov 2008 05:23:33 -0000 Received: (qmail 32099 invoked by uid 500); 11 Nov 2008 05:23:39 -0000 Delivered-To: apmail-incubator-couchdb-user-archive@incubator.apache.org Received: (qmail 32066 invoked by uid 500); 11 Nov 2008 05:23:39 -0000 Mailing-List: contact couchdb-user-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: couchdb-user@incubator.apache.org Delivered-To: mailing list couchdb-user@incubator.apache.org Received: (qmail 32055 invoked by uid 99); 11 Nov 2008 05:23:39 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 10 Nov 2008 21:23:39 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of jchris@gmail.com designates 74.125.46.155 as permitted sender) Received: from [74.125.46.155] (HELO yw-out-1718.google.com) (74.125.46.155) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 11 Nov 2008 05:22:18 +0000 Received: by yw-out-1718.google.com with SMTP id 5so1099418ywr.0 for ; Mon, 10 Nov 2008 21:22:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=eMU7sWvUhFeKqxENLsPfK4J0lfhbROPbTP8ERl7Y+6Y=; b=KK2KOR1ZQ8EEIjwuUFpjWcCASXG3IRCPL1DqnzaTNDj25lJBpELlbcJO9D/jyuNz5w 2D0ck3DzEPrvAJgFaAqkPC0gIcmxnlngpaae2DcJnp9FUGB2aUPRYpjrDJdVcaY/sfnK auaveRaBkVz9tOJwK49GbSZDfjEXz/NEndhqo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=qABwkFoe8eIig53dJ1Ge4UXRtFphYWgNeAFszTGh5s5Zy+lSGSLeMeVWbJU+MXn6dS /nzQFknd2GziLazXBKEFm6nxp6GxGHNjCP/eZazcUEok+tWG2T6PL0wlh1LhHVVq4kko aui3d4rdSD5885JBgXp01wTPQYedJ0f2BZAtg= Received: by 10.65.224.11 with SMTP id b11mr7365370qbr.33.1226380971203; Mon, 10 Nov 2008 21:22:51 -0800 (PST) Received: by 10.64.241.20 with HTTP; Mon, 10 Nov 2008 21:22:51 -0800 (PST) Message-ID: Date: Mon, 10 Nov 2008 21:22:51 -0800 From: "Chris Anderson" Sender: jchris@gmail.com To: couchdb-user@incubator.apache.org Subject: Re: action servers In-Reply-To: <64a10fff0811102016i4fd830a6yfaacf4365346b2d7@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <64a10fff0811101758g33973bbau1fff53f4c789f11e@mail.gmail.com> <64a10fff0811101928q36c862fayb5532f92be342467@mail.gmail.com> <64a10fff0811102016i4fd830a6yfaacf4365346b2d7@mail.gmail.com> X-Google-Sender-Auth: 74e78c6966bc17a7 X-Virus-Checked: Checked by ClamAV on apache.org On Mon, Nov 10, 2008 at 8:16 PM, Dean Landolt wrote: > Are there any other security concerns in that light? > I've left my instance wide for a few friends to play with -- perhaps I > should have asked this earlier. All I can think of is that we're only as safe as the couchjs sandbox. Which is probably safe, but you can send arbitrary http requests with action servers (and even from views if you are psycho) so there's always the danger of abuse from people who can edit design docs. > But yeah, if I squash the unobtrusive thing I'll probably only > need an action for periodic feed updates As long as you don't care about Google or people who haven't updated their browser in 3 years, there's no reason to be creating dynamic html. > I already tried it -- I couldn't help myself. An hour ago all I got was a > black screen -- now I see some action down below (other than the tweet form > everything gets cut off on Firefox Ubuntu Hardy). Yeah that's a not very fun failure mode. I should at least put up "you're not alone" screen for when that happens. I'm still not sure the cause of it. The Twitter API is a little flaky, so who know's what role it plays here. -- Chris Anderson http://jchris.mfdz.com