Open Stack

On 27/10/2011, at 3:19 PM, Mark Nottingham wrote:

>> I floated the idea a while back that we get rid of variants altogether and instead use an HTML representation to offer the user a choice of how to view the information that includes <pre> elements with JSON and XML formatted text. It could also have a nice human readable representation so that users could directly navigate around in the browser. Remember that the only use case justifying variants are human developers who want to see what the JSON or XML will look like.
>> If we do this, then we have GET /server/1234 and everything is clean. Jorge pointed out one slight problem with this: <pre> can only display textual representations. So no pdfs or excel spreadsheets without conneg. If we could live with this, getting rid of the variants altogether seems like a win.
> 
> 
> Why not just return HTML that uses XHR to pull in the JSON and XML on-demand, when the Accept header prefers HTML? 

Actually, I take it back -- we probably shouldn't be putting any HTML on the same host:port as the API, at all -- the cost of a successful XSS against the raw API is too high, even if there are ways to mitigate the risk. 

<http://www.theregister.co.uk/2011/10/27/cloud_security/>:

> The researchers said Amazon was also vulnerable to cross-site scripting (XSS) attacks that could have allowed users logged onto its online store to hijack an AWS session, using injected JavaScript code. The researchers demonstrated the vulnerability, only possible because signing into Amazon store automatically creates a concurrent AWS cloud service session automatically, at an ACM workshop on cloud security during a presentation entitled All Your Clouds are Belong to us.



--
Mark Nottingham   http://www.mnot.net/