Closed Bug 401649 (js-sjs) Opened 12 years ago Closed 12 years ago
JS CGI support in httpd
I have a patch for this, but I haven't written a decent set of tests for it yet. I'm currently using the subscript loader and just saying, "don't do stuff outside the promised APIs", which is technically perfectly fine given that handlers will have full privileges, but I still find it somewhat unsatisfying from a reduce-attack-surface-as-much-as-possible perspective. This won't fix bug 396226 or make it possible to not block while generating the entirety of a request, because this can be fixed with relatively little code (~15K if I remember right) where that one can't. It'll just let you dump the request-handling functions you'd use with registerPathHandler in files, so you don't have to have access to the actual server to have dynamic page generation (i.e. exactly the situation Mochitest is in).
Sadly I don't think I have a way to fully isolate the CGI script execution from the server itself, but since the scripts are privileged anyway it's more an aesthetic concern than anything else.
I've been seeing more and more backups in testing over this recently; we need to get this in.
Target Milestone: mozilla1.9beta2 → mozilla1.9beta4
Attachment #300588 - Flags: review?(sayrer) → review-
(In reply to comment #3) > >+const ScriptableInputStream = CC("@mozilla.org/scriptableinputstream;1", > >+ "nsIScriptableInputStream", > >+ "init"); > > These streams might get removed from 1.9, aiui. Are you thinking of bug 414901? I'm pretty sure nsIScriptableInputStream isn't going anywhere.
nsIScriptableInputStream is and has been the only way to access stream data for quite awhile; it absolutely is not going away for 1.9. Note that that definition got moved into the server and *out* of a long-standing, extant test. Neil's stuff is entirely different from what I use here. I didn't know there was a full CGI RFC (thought it was at best a quasi-standard), but I don't really have a problem conflating CGI with server-side dynamic content in general (especially when said content has a better, safer, and more secure interface). In the interests of not getting into too much bikeshedding and as I don't care that much anyway, I switched to SJS. I've never liked the MozJSHTTP name; httpd.js is much nicer-sounding. (Holy initialisms, Batman! [for either name, actually])
Comment on attachment 300858 [details] [diff] [review] cgi -> sjs, some driveby renaming ah, my mistake.
Attachment #300858 - Flags: review?(sayrer) → review+
Checked in on trunk.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Moving httpd.js bugs to the new Testing :: httpd.js component; filter out this bugmail by searching for "ICanHasHttpd.jsComponent".
Component: Testing → httpd.js
Product: Core → Testing
Target Milestone: mozilla1.9beta4 → ---
Version: Trunk → unspecified
...and changing the QA contact as well. Filter on the string "BugzillaQAContactHandlingIsStupid".
QA Contact: testing → httpd.js
You need to log in before you can comment on or make changes to this bug.