W3C home > Mailing lists > Public > public-rdfa-wg@w3.org > July 2010

Re: Not waiting on browser manufacturers for RDFa 1.1

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Fri, 09 Jul 2010 17:12:47 -0400
Message-ID: <4C3790CF.3060302@digitalbazaar.com>
To: RDFa WG <public-rdfa-wg@w3.org>
On 07/09/10 13:44, Mark Birbeck wrote:
> Yes, you're probably right...all the people who campaigned long and
> hard against using JSON in Flickr, Google Maps, Twitter, Yahoo!, and
> so on, will no doubt be so buoyed by their success that they will
> switch their attention to us.

I'm assuming that you're being facetious, but there is a point that is
left un-made in your remark.

Toby and Shane are absolutely correct - we didn't use JSONP because it
is a massive security hole to do so. Executing /any/ RDFa vocabulary as
Javascript is an unacceptable security risk. I don't know if you know a
way around this, because if so, please do let us know.

The difference between Flickr, Google Maps, Twitter, Yahoo! and other
large establish companies that people trust and some random vocabulary
developer should be self-evident.

There are certain URLs that you can trust most of the time (like
well-known URLs for jQuery caching provided by Google) and there are
URLs that you can't trust - like trojan vocabularies that people have
developed and tricked others into using.

Here's the nightmare scenario, if it wasn't evident already:

Your bank has RDFa information in your account page - account details,
balances, etc. They're using a 3rd party RDFa parser that loads
vocabularies via <script> tags and JSONP. Their developers include an
extra vocabulary via @profile that loads a profile from a 3rd party site.

The 3rd party site gets compromised in some way, still provides the
correct term mappings, but also sniffs which site you're on and what
content is on the page. If it detects that you're on your bank's
website, it encodes your account details in a URL and does an
XMLHttpRequest GET to a site that collects all of your banking data.
Worse, it puts a window on the page that says that you've been logged
out and to enter your username and password to log back into the site.

This was the reason we rejected JSONP as a solution for RDFa Profiles -
it is a massive security hole. We have a duty to the Web community to
create solutions that are not only useful, but also secure and that
won't violate their trust in the Web.

As I mentioned previously, perhaps you have a solution for this
particular attack... I'd love to hear it if you do. :)

-- manu

Manu Sporny (skype: msporny, twitter: manusporny)
President/CEO - Digital Bazaar, Inc.
blog: Myth Busting Web Stacks - PHP is Faster Than You Think
Received on Friday, 9 July 2010 21:13:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:19:48 UTC