W3C home > Mailing lists > Public > public-rdfa-wg@w3.org > July 2010

Re: Not waiting on browser manufacturers for RDFa 1.1

From: Toby Inkster <tai@g5n.co.uk>
Date: Fri, 09 Jul 2010 17:16:51 +0100
To: RDFa WG <public-rdfa-wg@w3.org>
Message-ID: <1278692211.3887.64.camel@ophelia2.g5n.co.uk>
On Fri, 2010-07-09 at 14:46 +0100, Mark Birbeck wrote:
> But as I said way back during the discussions on profile, if you allow
> profiles to be defined using JSON then you don't have this problem. 

Mark, I know you know this, but it's good to be clear... JSON does *not*
allow you to circumvent browser cross-origin policies; JSONP does.

Why is this an important distinction? Because JSONP is essentially a
profile of Javascript. You bypass browser cross-origin policies because
instead of fetching the profile, you embed (and thus execute) the
profile as a script.

While in practise there may be situations where this is a reasonable way
to operate, executing unchecked third-party scripts carries a pretty big
risk.

I imagine that if we recommended this technique in the spec, there'd be
a lot of pushback.

-- 
Toby A Inkster
<mailto:mail@tobyinkster.co.uk>
<http://tobyinkster.co.uk>


-- 
Toby A Inkster
<mailto:mail@tobyinkster.co.uk>
<http://tobyinkster.co.uk>
Received on Friday, 9 July 2010 16:17:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 04:55:07 GMT