W3C home > Mailing lists > Public > public-rdf-in-xhtml-tf@w3.org > December 2009

Re: Non-XHTML host languages for RDFa

From: Toby Inkster <tai@g5n.co.uk>
Date: Tue, 01 Dec 2009 09:16:11 +0000
To: Mark Birbeck <mark.birbeck@webbackplane.com>
Cc: Christoph LANGE <ch.lange@jacobs-university.de>, Ivan Herman <ivan@w3.org>, RDFa Developers <public-rdf-in-xhtml-tf@w3.org>
Message-ID: <1259658971.17105.4.camel@ophelia2.g5n.co.uk>
On Tue, 2009-12-01 at 08:48 +0000, Mark Birbeck wrote:
> Right...but as I say, a JavaScript parser running in a browser would
> not be able to retrieve those RDFa documents, if they were in a
> different domain to the main document.
> 
> So even if we do support that, I think we need to do it in a way that
> also supports a JSON solution. 

XHR requests are domain-restricted. This is the case whether the
profiles are in XML, XHTML or plain text. JSON doesn't change that.

So called "JSON-P" (which is actually Javascript, not JSON) provides a
workaround, but also opens a gaping security hole as it allows the
server you're reading from to inject arbitrary Javascript code into your
document. If your document contains any private data (e.g. you're using
RDFa on pages containing your company's internal data on a page that's
behind a corporate firewall) then a malevolent JSON-P profile could be
used to steal that data.

-- 
Toby A Inkster
<mailto:mail@tobyinkster.co.uk>
<http://tobyinkster.co.uk>
Received on Tuesday, 1 December 2009 09:16:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 1 December 2009 09:16:58 GMT