[Catalog-sig] Hosting documentation on PyPI
Philipp von Weitershausen
philipp at weitershausen.de
Wed Aug 6 20:21:02 CEST 2008
Ian Bicking wrote:
> Ian Bicking wrote:
>> Martin v. Löwis wrote:
>>>> There's an XSS concern if users can upload arbitrary HTML. Approval
>>>> would address some of that, but it might be better to avoid the issue
>>>> One way to handle that would be to host each package's documentation on
>>>> a different domain. E.g., package.pypi.python.org.
>>> Can you please elaborate? What is the issue, and how could creating
>>> domains resolve it?
>> to other URLs on the same domain, and those requests can do things
>> will be run as the person who is viewing the page. So if I am logged
>> in to PyPI and view some random page on pypi.python.org, and that page
>> anything on pypi.python.org as though it was me doing it.
>> You can't make XMLHttpRequests across domains, so by putting each
>> package on its own domain you avoid the problem.
> On second thought, simply by using a read-only domain (one that has no
> admin on the domain itself) you'd also be fine. So
> http://pypidocs.python.org/package/* would work fine, so long as all the
> management for that remained on pypi.python.org.
> I personally like domains for projects, though package.pypi.python.org
> is a bit long winded anyway. A new top-level domain (pypackage.org or
> pyforge.org or something) would mitigate that. But any place to drop
> docs would be nice. Especially with Sphinx I think we'll get more
> libraries with multi-page HTML docs.
What about distribution names with dots in them? Or worse, spaces? Both
are allowed by setuptools and PyPI and I've seen them in the wild
(especially dotted distribution names aren't uncommon when a namespaced
package is distributed under its package name, e.g. zope.interface).
More information about the Catalog-SIG