Re: RDFa Vocabularies from Manu Sporny on 2010-01-12 (public-rdf-in-xhtml-tf@w3.org from January 2010)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Tue, 12 Jan 2010 13:30:37 -0500
To: RDFa mailing list <public-rdf-in-xhtml-tf@w3.org>
Message-ID: <4B4CBFCD.8020606@digitalbazaar.com>

Philip Taylor wrote:
>> That is a tall order. I am not a JS expert but isn't it correct that
>> this restrictions is deeply rooted in the browser environment?
> 
> If I'm understanding the discussion correctly, then the problem is that
> browser security is based on the same-origin policy, which means scripts
> running on a page generally can't access data from a different origin
> (where "origin" is basically domain+port+scheme). So a script that's
> used on http://whatever.example/ can't access data from
> http://example.org/vocab (because that would allow the first site to
> access private data on the user's intranet, or private data that other
> sites associate with the user via cookies).
> 
> CORS (http://dev.w3.org/2006/waf/access-control/) allows servers to
> relax that restriction, so example.org could be configured to allow
> access from anyone, in which case it could be read with XMLHttpRequest
> (in Firefox 3.5+ and Safari 4+; and with XDomainRequest in IE8+).
> 
> I'd expect an API like getVocabulary that doesn't use CORS and ignores
> the same-origin policy would be rejected as insecure, since it can be
> used to reveal information that would otherwise be inaccessible to scripts.

Our CTO and I just had a side discussion about CORS, resulting with each
of us reading the updated spec. After reading through it, we both agree
with Philip - that whatever mechanism is used should probably be, or at
least be based on, CORS.

If we depend on CORS, then a simple XMLHttpRequest would work to
retrieve the remote RDFa Vocabulary document (as long as the remote
server is configured to respond with "Access-Control-Allow-Origin: *"
when attempting to retrieve the vocabulary document). Also note that
this issue only applies to RDFa Vocabularies that are not kept on the
same server as the HTML+RDFa document.

So CORS+XMLHttpRequest is a good solution to ensure that RDFa Javascript
implementations are still possible for RDFa 1.1 in all of the current,
popular web browsers. Thanks, Philip :)

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny)
President/CEO - Digital Bazaar, Inc.
blog: Monarch - Next Generation REST Web Services
http://blog.digitalbazaar.com/2009/12/14/monarch/

Received on Tuesday, 12 January 2010 18:27:33 UTC