W3C home > Mailing lists > Public > public-rdfa-wg@w3.org > July 2010

Re: Not waiting on browser manufacturers for RDFa 1.1

From: Mark Birbeck <mark.birbeck@webbackplane.com>
Date: Fri, 9 Jul 2010 18:44:03 +0100
Message-ID: <AANLkTilc9uFWtNp8xPIPxrdFNc79efXzTME3wm_XLOc8@mail.gmail.com>
To: Toby Inkster <mail@tobyinkster.co.uk>
Cc: Manu Sporny <msporny@digitalbazaar.com>, RDFa WG <public-rdfa-wg@w3.org>
Yes, you're probably right...all the people who campaigned long and
hard against using JSON in Flickr, Google Maps, Twitter, Yahoo!, and
so on, will no doubt be so buoyed by their success that they will
switch their attention to us.

;)

Regards,

Mark

On Friday, July 9, 2010, Toby Inkster <mail@tobyinkster.co.uk> wrote:
> On Fri, 2010-07-09 at 14:46 +0100, Mark Birbeck wrote:
>> But as I said way back during the discussions on profile, if you allow
>> profiles to be defined using JSON then you don't have this problem.
>
> Mark, I know you know this, but it's good to be clear... JSON does *not*
> allow you to circumvent browser cross-origin policies; JSONP does.
>
> Why is this an important distinction? Because JSONP is essentially a
> profile of Javascript. You bypass browser cross-origin policies because
> instead of fetching the profile, you embed (and thus execute) the
> profile as a script.
>
> While in practise there may be situations where this is a reasonable way
> to operate, executing unchecked third-party scripts carries a pretty big
> risk.
>
> I imagine that if we recommended this technique in the spec, there'd be
> a lot of pushback.
>
> --
> Toby A Inkster
> <mailto:mail@tobyinkster.co.uk>
> <http://tobyinkster.co.uk>
>
Received on Friday, 9 July 2010 17:44:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 04:55:07 GMT