Ticket #4 (new enhancement)
Opened 10 years ago
Privileged first parameter
Reported by: | smagi | Owned by: | smagi |
---|---|---|---|
Priority: | major | Component: | clavis |
Version: | Keywords: | ||
Cc: |
Description
It would be convenient to fold the first parameter of a resource into the URL path itself. This would support wiki-like naming, so instead of /View?Page=FooBar? clients would see some varient of /View/FooBar.
However, since the URL path is part of the HMAC, this means the path component must be a protected parameter. However, it's more desirable if this component were unsafe/unprotected so clients could change it at will.
Furthermore, the first parameter of a resource must be the same across all continuation types it implements, and it cannot be an IEnumerable type.
Possible resolutions:
- Path is not included in the HMAC: this would allow illegal continuation applications, ie. moving query string from one continuation to another would be allowed, but be an error.
- Require a continuation value for validation: this is how it used to work before switching to purely URL-based validation. However, how would a Clavis HttpHandler? find and load the right continuation type given only the string? We can't know just by looking at the requested URL whether it's a continuation type that folds the first parameter into the path.
- Use a distinct character to delimit path from param, ie. /View:FooBar or /View-FooBar?. This makes it somewhat non-uniform with other URLs, but not entirely so, ie. Wikipedia talk page uses "/wiki/Talk:Subject". See: http://stackoverflow.com/a/4669755/144873
I think #3 is the best option: unsafe integral first params can be folded into the URL path with a ":" delimiter. HMAC validation will simply skip all data between ":" and "?". Perhaps a different delimiter, like '-', will designate protected params which are included in the HMAC.
Or perhaps more convenient URLs can be controlled at a whole other layer, like with IIS URL rewriting?