Comments (6)
I do like this approach to implementing the 'sample code' thing.
My only concern is that I'm somewhat wary of allowing an unprotected link to generate new projects. There's no real risk, but you could certainly moderately inconvenience a user by abusing it.
from cloudpebble.
An additional comment on this, @sarfata – what particular features of gist make this an ideal solution, as far as you're concerned? If I were to guess I'd say it was ease of creation/modification and change tracking, but I'm curious as to whether you have any additional points of view. To be clear, I still think this is a good idea.
That said, I think I don't want to have a GET link that can be abused either as a CSRF-style attack or simply accidentally triggered by a preloader; instead, I would prefer to have two paths:
- An untrusted path triggered by a simple link; this would then take the user to a prompt asking them to confirm
- A trusted path that can be used by e.g. the developer site, which includes magic JavaScript that allows it to skip over the prompt and immediately generate a project by the user's request. This could fall back to the untrusted path if JS is unavailable for some reason.
Thoughts?
from cloudpebble.
Ease of use and copy/paste to create new templates was my principal reason for proposing this. I think a full project for each example feels overweight.
Agree with your security constraints. A page to confirm that you actually want to do this seems absolutely appropriate and reasonable. I don't even think we need a trusted path (and if we did use JS I am not sure how we would prevent someone else from using the same trick - that was not clear in your proposal).
from cloudpebble.
The JavaScript could, if the user is already logged in, perform a cross-origin XHR to CloudPebble that effectively replicated the prompt dialog. CORS enables accurately determining the origin domain (and checking some whitelist) and allows for authentication information to be passed through. If the user is not currently authenticated for CloudPebble they would probably be bounced through authentication and immediately redirected to the untrusted path. I am reasonably sure this would be a practical implementation.
The trusted path is probably not critical, but if e.g. having actual "try this" buttons on code samples in documentation is a goal, then I think it would be preferable to be immediately dropped somewhere useful. For simple blog posts and the like, not so much and the untrusted path would be fine.
from cloudpebble.
Sounds good. But again trusted path is not part of the mvp ;)
On Mon, Mar 31, 2014 at 10:58 PM, Katharine Berry
[email protected]:
The JavaScript could, if the user is already logged in, perform a
cross-origin XHR to CloudPebble that effectively replicated the prompt
dialog. CORS enables accurately determining the origin domain (and checking
some whitelist) and allows for authentication information to be passed
through. If the user is not currently authenticated for CloudPebble they
would probably be bounced through authentication and immediately redirected
to the untrusted path. I am reasonably sure this would be a practical
implementation.The trusted path is probably not critical, but if e.g. having actual "try
this" buttons on code samples in documentation is a goal, then I think it
would be preferable to be immediately dropped somewhere useful. For simple
blog posts and the like, not so much and the untrusted path would be fine.Reply to this email directly or view it on GitHubhttps://github.com/CloudPebble/CloudPebble/issues/56#issuecomment-39173259
.
Thomas Sarlandie - Developer Evangelist
http://www.getpebble.com #makeawesomehappen
+1 916 990 4542 - @sarfata
from cloudpebble.
As described above it's a pretty neatly self-contained extension of the actual mvp, so that works out nicely!
from cloudpebble.
Related Issues (20)
- Resource previews cannot be found when using Edge
- "Serialisation of timeline item failed." when pushing timeline pins
- Incorrect warning when formatting int32_t with %ld HOT 3
- Github push: filling in a title and hitting "cancel" still makes a commit HOT 2
- "Code completion resync failed." HOT 2
- Cloudpebble forgets project settings HOT 4
- AutoPull and compile doesn't cause refresh of data on compilation-pane HOT 1
- Add Outline window to the Code Editor
- Unable to create/import files with multiple periods HOT 1
- Ctrl + F find function needs improvement
- Emulator boot failed: Unable to create emulator instance. HOT 3
- TypeScript support
- Configuration to keep the first newline after a pebble tag HOT 2
- Build breaks when a Pebblekit file is added to a Rocky.js project HOT 4
- Emulator not starting HOT 2
- Changing sdk version from 2 to 4 causes the images to disappear
- npm dependencies search doesn't find new packages
- up and down arrow key don't work in iOS Safari
- TypeError: Cannot read property 'message' of undefined HOT 2
- I need help to replicate CloudPebble
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloudpebble.