[Zope3-Users] Re: View or content provider
Daniel Nouri
daniel.nouri at gmail.com
Tue Jul 17 14:20:58 EDT 2007
Hermann Himmelbauer wrote:
> Am Dienstag, 17. Juli 2007 14:08 schrieb Stephan Richter:
>> On Monday 16 July 2007 19:32, Daniel Nouri wrote:
>>>> I do not recommend using views for content that is only
>>>> used inside a template. Because "context/@@viewname"
>>>> is also traversable as a real view and will probably show
>>>> up in google.
>>> How would it show up in Google? Google bots don't try arbitrary URLs,
>>> they follow links.
>>>
>>> Using ordinary views for parts of a HTML page works perfectly for me.
>> It works at the cost of security. How do you know that noone will figure
>> out those views? And how do you know that they are properly secured, if you
>> never test them standalone? This might not be too problematic for a single
>> project, but would you like to install a package and suddenly get all those
>> views that you do not know whether they are properly secured and may reveal
>> sensitive information? I can tell you that some of my clients do care about
>> this!
>
> I agree with this: Security through obscurity is always a bad idea. In cases
> where content is not yet ready for the public, it may be o.k. to hide
> information by unknown URLs, but not on a long-term scale.
>
> You can bet that someone will in some way find out the URL. For instance, I
> once "published" a site by sending a code snippet with the URL to the Plone
> mailing list and Google collected it from the archive (fortunately, no big
> deal in my case).
You got the wrong idea. My intention was not to say: No one knows how to
access those views, so they're secure. But rather: I wouldn't worry about
search engines picking up those (public) snippets of HTML. The problem here
is that e.g. Google would index parts of pages that should only be seen in
the context of a bigger, complete page.
Regards,
Daniel
More information about the Zope3-users
mailing list