Create special cloudpebble link to create a new project based on a gist about cloudpebble HOT 6 CLOSED

I do like this approach to implementing the 'sample code' thing.

My only concern is that I'm somewhat wary of allowing an unprotected link to generate new projects. There's no real risk, but you could certainly moderately inconvenience a user by abusing it.

from cloudpebble.

An additional comment on this, @sarfata – what particular features of gist make this an ideal solution, as far as you're concerned? If I were to guess I'd say it was ease of creation/modification and change tracking, but I'm curious as to whether you have any additional points of view. To be clear, I still think this is a good idea.

That said, I think I don't want to have a GET link that can be abused either as a CSRF-style attack or simply accidentally triggered by a preloader; instead, I would prefer to have two paths:

• An untrusted path triggered by a simple link; this would then take the user to a prompt asking them to confirm
• A trusted path that can be used by e.g. the developer site, which includes magic JavaScript that allows it to skip over the prompt and immediately generate a project by the user's request. This could fall back to the untrusted path if JS is unavailable for some reason.

Thoughts?

from cloudpebble.

Ease of use and copy/paste to create new templates was my principal reason for proposing this. I think a full project for each example feels overweight.

Agree with your security constraints. A page to confirm that you actually want to do this seems absolutely appropriate and reasonable. I don't even think we need a trusted path (and if we did use JS I am not sure how we would prevent someone else from using the same trick - that was not clear in your proposal).

from cloudpebble.

The JavaScript could, if the user is already logged in, perform a cross-origin XHR to CloudPebble that effectively replicated the prompt dialog. CORS enables accurately determining the origin domain (and checking some whitelist) and allows for authentication information to be passed through. If the user is not currently authenticated for CloudPebble they would probably be bounced through authentication and immediately redirected to the untrusted path. I am reasonably sure this would be a practical implementation.

The trusted path is probably not critical, but if e.g. having actual "try this" buttons on code samples in documentation is a goal, then I think it would be preferable to be immediately dropped somewhere useful. For simple blog posts and the like, not so much and the untrusted path would be fine.

from cloudpebble.

Sounds good. But again trusted path is not part of the mvp ;)

On Mon, Mar 31, 2014 at 10:58 PM, Katharine Berry
[email protected]:

The JavaScript could, if the user is already logged in, perform a
cross-origin XHR to CloudPebble that effectively replicated the prompt
dialog. CORS enables accurately determining the origin domain (and checking
some whitelist) and allows for authentication information to be passed
through. If the user is not currently authenticated for CloudPebble they
would probably be bounced through authentication and immediately redirected
to the untrusted path. I am reasonably sure this would be a practical
implementation.

The trusted path is probably not critical, but if e.g. having actual "try
this" buttons on code samples in documentation is a goal, then I think it
would be preferable to be immediately dropped somewhere useful. For simple
blog posts and the like, not so much and the untrusted path would be fine.

Reply to this email directly or view it on GitHubhttps://github.com/CloudPebble/CloudPebble/issues/56#issuecomment-39173259
.

Thomas Sarlandie - Developer Evangelist
http://www.getpebble.com #makeawesomehappen
+1 916 990 4542 - @sarfata

from cloudpebble.

As described above it's a pretty neatly self-contained extension of the actual mvp, so that works out nicely!

from cloudpebble.