Once we've created the webrev, we'll need to host it on the user's behalf.
Questions to think about:
What level of security will we need on this hosting?
When will the webrev be deleted?
I don't think we need any security on web revs. It's just a pull request on an open source project.
I think we can delete the webrev after it has been merged or terminated. There are events in the state transition diagram that represent these events.
Currently the method on the PullReview object to get the webrev returns a file. This needs to be changed once we set up hosting for the webrev so that the method returns a URL.