Wapp

Check-in [38fa4334e3]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Documentation improvements.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 38fa4334e3ad601143474c501d800b1d2801f8f196fb053d056d4da9bc872ee3
User & Date: drh 2019-04-01 01:57:25
Context
2019-04-08
20:14
For the %string() substitution, encode newlines and carriage returns using backslash escapes. check-in: 6385090072 user: drh tags: trunk
2019-04-01
01:57
Documentation improvements. check-in: 38fa4334e3 user: drh tags: trunk
01:31
Fix error in the first example of the "intro.md" page. check-in: 83e002a08c user: drh tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to README.md.

     1      1   Wapp - A Web-Application Framework for TCL
     2      2   ==========================================
     3      3   
     4      4   Wapp is a framework for writing web applications in TCL,
     5      5   with the following advantages:
     6      6   
     7      7     *   Small and simple API → easy to learn and use
     8         -  *   A complete application is contained in a single file of TCL
            8  +  *   A complete app is a single small file of TCL
     9      9     *   Resistant to attacks and exploits
    10     10     *   Cross-platform → CGI, SCGI, or a built-in web server
    11     11     *   The Wapp framework itself is a single-file TCL script
    12         -  *   Easy to embedded in a larger application
    13         -      to provide a web-based monitoring capability
    14         -  *   The MVC design pattern is supported but not required
           12  +  *   Easy to embedded in a larger application, if desired
    15     13     *   2-clause BSD license
    16     14   
    17     15   Documentation
    18     16   -------------
    19     17   
    20     18     *  ["Hello World!" App (6 lines of code)](/doc/trunk/docs/helloworld.md)
    21     19     *  [Introduction To Writing Wapp Applications](/doc/trunk/docs/intro.md)

Changes to docs/debughints.md.

     1      1   Hints For Debugging Wapp Applications
     2      2   =====================================
     3      3   
     4      4   Here are some suggestions for debugging Wapp applications:
     5      5   
     6         -  +  If it seems like the [wapp-param](#wapp-param) command is not 
            6  +  +  If it seems like the [wapp-param](commands.md#wapp-param) command is not 
     7      7        working correctly, that might be because the same-origin policy
     8      8        is preventing query parameters from being parsed.
     9         -     Try adding this command to the top of the page generator proc, at
    10         -     least temporarily to see if that clears the problem.
            9  +     Try adding the [wapp-allow-xorigin-parameters](commands.md#allow-xorigin)
           10  +     command to the top of the page generator proc, at
           11  +     least temporarily, to see if that clears the problem.
    11     12   
    12     13     +  If parts of your webpage do not appear to be working, that might
    13     14        be due to the restrictive default 
    14     15        [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy)
    15     16        that Wapp uses.  Try temporarily disabling the CSP using a command
    16     17        like <blockquote><b>wapp-content-security-policy off</b></blockquote>
    17     18        near the top of your page-generator proc.

Changes to docs/intro.md.

   163    163         wapp-trim {
   164    164           <h1>Wapp Environment</h1>\n<pre>
   165    165           <pre>%html([wapp-debug-env])</pre>
   166    166         }
   167    167       }
   168    168       wapp-start $argv
   169    169   
   170         -Most Wapp applications contain an /env page for debugging and
          170  +Many Wapp applications contain an /env page for debugging and
   171    171   trouble-shooting purpose.  Examples:
   172    172   <https://sqlite.org/checklists/env> and
   173    173   <https://sqlite.org/search?env=1>
   174    174   
   175    175   
   176    176   2.1 Binary Resources
   177    177   --------------------

Changes to docs/security.md.

    51     51   
    52     52     6.  If the application is launched on a command-line with the --lint
    53     53         option, then instead of running the application, Wapp scans the
    54     54         application code looking for constructs that are unsafe.  Unsafe
    55     55         constructs include things such as using 
    56     56         "[wapp-subst](commands.md#wapp-subst)" with an argument
    57     57         that is not contained within {...}.
           58  +
           59  +  7.  The new (non-standard) SAME\_ORIGIN variable is provided. This variable
           60  +      has a value of "1" or "0" depending on whether or not the current HTTP
           61  +      request comes from the same origin. Applications can use this information
           62  +      to enhance their own security precautions by refusing to provide sensitive
           63  +      information or perform sensitive actions if SAME\_ORIGIN is not "1".
           64  +
           65  +  8.  The --scgi mode only accepts SCGI requests from localhost.  This prevents
           66  +      an attacker from sending an SCGI request directly to the script and bypassing
           67  +      the webserver in the event that the site firewall is misconfigured or omitted.
           68  +
           69  +  9.  Though cookies, query parameters and POST parameters are accessed using
           70  +      the same mechanism as CGI variables, the CGI variable names use a disjoint
           71  +      namespace.  (CGI variables are all upper-case and all others are lower-case.)
           72  +      Hence, it is not possible for a remote attacher to create a fake CGI variable 
           73  +      or override the value of a CGI variable.
           74  +
    58     75   
    59     76   Part of what makes Wapp easy to use is that it helps free application
    60     77   developers from the worry of accidently introducing security vulnerabilities
    61     78   via programming errors.  Of course, no framework is fool-proof.  Developers
    62     79   still must be aware of security.  Wapp does not prevent every error, but
    63     80   it does help make writing a secure application easier and less stressful.