[Catalog-sig] Hosting documentation on PyPI
Ian Bicking
ianb at colorstudy.com
Wed Aug 6 19:14:43 CEST 2008
Ian Bicking wrote:
> Martin v. Löwis wrote:
>>> There's an XSS concern if users can upload arbitrary HTML. Approval
>>> would address some of that, but it might be better to avoid the issue
>>> altogether.
>>>
>>> One way to handle that would be to host each package's documentation on
>>> a different domain. E.g., package.pypi.python.org.
>>
>> Can you please elaborate? What is the issue, and how could creating
>> domains resolve it?
>
> The issue is that you can put in Javascript that does XMLHttpRequests to
> other URLs on the same domain, and those requests can do things like
> change a user's password, delete packages, etc. The Javascript will be
> run as the person who is viewing the page. So if I am logged in to PyPI
> and view some random page on pypi.python.org, and that page contains
> malicious Javascript, that malicious Javascript can do anything on
> pypi.python.org as though it was me doing it.
>
> You can't make XMLHttpRequests across domains, so by putting each
> package on its own domain you avoid the problem.
On second thought, simply by using a read-only domain (one that has no
admin on the domain itself) you'd also be fine. So
http://pypidocs.python.org/package/* would work fine, so long as all the
management for that remained on pypi.python.org.
I personally like domains for projects, though package.pypi.python.org
is a bit long winded anyway. A new top-level domain (pypackage.org or
pyforge.org or something) would mitigate that. But any place to drop
docs would be nice. Especially with Sphinx I think we'll get more
libraries with multi-page HTML docs.
--
Ian Bicking : ianb at colorstudy.com : http://blog.ianbicking.org
More information about the Catalog-SIG
mailing list