Re: CORS Proxy from Henry Story on 2012-07-07 (public-rww@w3.org from July 2012)

From: Henry Story <henry.story@bblfish.net>
Date: Sat, 7 Jul 2012 14:06:51 +0200
To: Thomas Steiner <tomac@google.com>
Cc: Read-Write-Web <public-rww@w3.org>, Michael Hausenblas <michael.hausenblas@deri.org>, Nathan Rixham <nathan@webr3.org>
Message-Id: <0CC30426-C6E7-4958-94A2-8A82059E7F36@bblfish.net>

On 7 Jul 2012, at 01:56, Thomas Steiner wrote:

> [pruned to: list, added CORS-enabled folks I know]

[ I think they were all on the rww and webid mailing lists :-) ]

> 
> Hi Henry,
> 
> Thanks for putting this service online (in the form of source code)
> and also to the folks over at data.fm for making it actually available
> as a publicly callable service. Services like YQL allow you to turn
> any website in a JSON-P API, which—while less elegant—in practice
> serves the same purpose as CORS: "overcome" the SOP.

YQL? Yahoo Query Language? Looks like SPARQL is what I'd use there.
SOP?

> I have used YQL
> widely in some of my Linked Data apps, however, always have hit the
> call limit per time unit. Even on my private hosted server (1&1, so a
> hoster with a name), where I used to host a PHP proxy, I have hit some
> of their DDoS triggers, so after a while started returning 500 errors.

yes, many services limit the number of calls you can make to their sites. I was starting to architect my code, so that it could easily re-use connections to web sites,  and also make it possible to have policies to avoid the platform turning into a tool for denial of service attacks. I think this will be a reason to only allow access to the service to webid authenticated users. 

But you point out that you also have that problem when you are the only one using your machine. I suppose this means one would need a system to learn somehow how many connections  to different services are reasonable. If services could publish this information in RDF that would be very helpful. It should be easy to put an ontology together for this and it seems that this could well be placed in an access control file.
Or perhaps a pointer to such a file when returning a 429 Too Many Requests (RFC 6585) response.

> Do you have a solution or view to/on that issue? It is in my humble
> opinion one of the main stumble stones to all that beautiful Linked
> Data tales. As soon as you seriously stat to follow the links, the
> infrastructure goes down (per security design).

perhaps that ontology explaining an upper limit on usage. I think we'll work out how to do this as we build it.

> 
> Looking forward to some opinions, and sorry if this sounds too
> negative or unrelated to your service announcement. I _appreciate_ any
> and all efforts towards enable-cors.org!
> 
> Best,
> Tom
> 
> Thank God not sent from a BlackBerry, but from my iPhone

Social Web Architect
http://bblfish.net/

Received on Saturday, 7 July 2012 12:07:24 UTC