W3C home > Mailing lists > Public > public-rdfa-wg@w3.org > July 2010

Re: Not waiting on browser manufacturers for RDFa 1.1

From: Mark Birbeck <mark.birbeck@webbackplane.com>
Date: Fri, 16 Jul 2010 17:22:03 +0100
Message-ID: <AANLkTinmIUt-Ow-LweBM1TJpn6h0pKUy-oKdRIvJAxHK@mail.gmail.com>
To: Shane McCarron <shane@aptest.com>
Cc: Toby Inkster <tai@g5n.co.uk>, RDFa WG <public-rdfa-wg@w3.org>
Hi Shane,

> Which is EXACTLY why we rejected it as a required format.  If it's something you want to
> support in your implementation, I say go for it.  But I think it is way too high a risk. I
> would MUCH rather have this flash hack coupled with a CORS-aware proxy as a backup
> service.  At least this way we are only delivering (X)HTML files that are then being parsed.
> No room for random stuff to be injected into my Javascript runtime environment.

The primary part of my proposal was always that having an RDF
vocabulary to define prefix mappings is overkill, and that name-value
pairs is sufficient.

I then proposed that it made sense to express these name/value pairs using JSON.

Unfortunately, I then went too far and said that by the way, this also
allows us to retrieve profiles across domains. The whole cross-domain
issue then got brought to the fore, but the problem then is that we
are no longer comparing like with like.

It's true that using a JSON format for profiles does indeed allow for
the cross-domain problem to be solved, if JSONP is used to allow the
browser to get a handle on the JSON. But as we know, that also leaves
a security hole, since you can't control what is going to be executed
in the JSONP.

However, since there is no other way to do cross-domain profiles in a
browser, without using techniques that are not yet widespread (CORS,
postMessage(), etc.), then if we ignore JSONP we only put JSON on a
par with HTML+RDFa -- we don't make it inferior.

In other words, a JSON format for profiles is no less secure than an
HTML+RDFa format if JSONP is taken out of the picture, whilst it's a
lot quicker and simpler to obtain the prefix mappings from.



Mark Birbeck, webBackplane



webBackplane is a trading name of Backplane Ltd. (company number
05972288, registered office: 2nd Floor, 69/85 Tabernacle Street,
London, EC2A 4RR)
Received on Friday, 16 July 2010 16:22:38 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:19:48 UTC