Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Toplevel: add a simple cohttp based server #111

Merged
merged 1 commit into from
Mar 19, 2014
Merged

Toplevel: add a simple cohttp based server #111

merged 1 commit into from
Mar 19, 2014

Conversation

andrewray
Copy link
Contributor

Provides just enough to enable topfind in the js_of_ocaml toplevel.

You may find this useful for testing dynamic loading with js_of_ocaml.

Note; xmlHttpRequests are generated regardless of the presence of a server that can support them which might not be the behaviour you want. You might also want support of command line options and serving multiple directories as this feature and also enables open_in to read arbitrary files from the filesystem.

@andrewray
Toplevel: add a simple cohttp based server
51174be 
This provides the simplest possible support to enable
topfind in the js_of_ocaml toplevel
vouillon added a commit that referenced this pull request Mar 19, 2014
@vouillon
Merge pull request #111 from andrewray/server
f12286d 
Toplevel: add a simple cohttp based server
@vouillon vouillon merged commit f12286d into ocsigen:master Mar 19, 2014
@gasche
Copy link

gasche commented Mar 19, 2014

Could you explain a bit how this work (to someone not familiar with topfind)? My understanding is that the user willing to use topfind on a js_of_ocaml-using webpage should run the ./server program provided by the js_of_ocaml distribution on his/her machine, and that it will send any requested file to the js_of_ocaml webpage (in fact to ocamlfind scripts running, after compilation to JS, on from this webpage).

I'm wondering what the use-cases for this are; if I correctly understand that the user should run the server, it seems potentially useful but also much more limiting than classic js_of_ocaml (which doesn't require an OCaml installation).

In any case, I'm also curious about the security implications of having a program running on my machine ready to upload any file from my filesystem. Is there a risk of attack from malicious javascript injected in this webpage or another? Is there a risk of attack from outside localhost?

@andrewray
Copy link
Contributor Author

On Wed, Mar 19, 2014 at 4:26 PM, gasche [email protected] wrote:

Could you explain a bit how this work (for someone not familiar with
topfind?). My understanding is that the user willing to use topfind a
js_of_ocaml-using webpage should run the ./server program provided by the
js_of_ocaml distribution on his/her machine, and that it will send any
requested file to the js_of_ocaml webpage (in fact to ocamlfind scripts
running, after compilation to JS, on from this webpage).

Firstly this feature is primarily for the js_of_ocaml toplevel and not so
much for arbitrary js_of_ocaml applications.

It doesn't actually require ocamlfind; normal ocaml directives like #load
also work as will functions like open_in as it uses the js_of_ocaml psuedo
filesystem at quite a low level.

I'm wondering what the use-cases for this are; if I correctly understand

that the user should run the server, it seems potentially useful but also
much more limiting than classic js_of_ocaml (which doesn't require an OCaml
installation).

It might perhaps find use with developers who want to test their libraries
interactively with the js_of_ocaml toplevel without building an application.

I don't think it changes any other use case of js_of_ocaml.

In any case, I'm also curious about the security implications of having a

program running on my machine ready to upload any file from my filesystem.
Is there a risk of attack from malicious javascript injected in this
webpage or another? Is there a risk of attack from outside localhost?

It should only serve files on 127.0.0.1:8888 so I don't think it's possible
to access it from outside. Certainly you could configure things to allow
that and you would want to be very careful in that case.

Files should only be accessible from $(HOME)/.opam but I note that you can
subvert that with paths like "$(HOME)/.opam/../" which should probably be
fixed

-Andy

Reply to this email directly or view it on GitHubhttps://github.com//pull/111#issuecomment-38072703
.

@andrewray andrewray deleted the server branch March 25, 2014 12:38
vouillon added a commit that referenced this pull request Oct 29, 2024
@vouillon
Merge pull request #111 from ocaml-wasm/jsoo
fb4d189 
Get latest changes from js_of_ocaml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andrewray @gasche @vouillon