Re: Linked Data Profile and CORS

On 17 July 2012 11:13, Henry Story <henry.story@bblfish.net> wrote:

> Hi,
>
>   [I sent the following mail to the Linked Data Profile WG, to see if it
> is something they are able to add to their topics of interest (that may
> take some time, and so should not stop us looking into it too).]
>
>   I think as mentioned previously LDP does require some form of
> authentication, as it allows non-idempotent methods such as POST, PUT &
> DELETE . This means that there will be some interesting things to think
> about relating to CORS [1]
>

Good questions!

PUT GET and DELETE are idempotent, POST is not.


>
>   One application of an LDP server would be to have a javascript client
> [2] be able to crawl RDF linked data in order to build up a user interface.
> I have a really simple example that kind-of™ works.
>
>   http://bblfish.github.com/rdflib.js/example/people/social_book.html
>
>  The page contains no data just a reference to my foaf profile, which is
> how it fills in the user info and the first column of the Social Book. If
> you click on some users, such as "Joe Presbrey" the javascript will make an
> XHR request to his WebID Profile http://presbrey.mit.edu/foaf, which
> since it contains the right headers especially the
> "Access-Control-Allow-Origin: *"
>
> $ curl -I http://presbrey.mit.edu/foaf
>   HTTP/1.1 200 OK
>   Date: Tue, 17 Jul 2012 08:35:03 GMT
>   Server: Apache
>   Access-Control-Allow-Origin: *
>   Last-Modified: Tue, 20 Dec 2011 01:02:36 GMT
>   ETag: "43c4058c-1437-4b47b9f740300"
>   Accept-Ranges: bytes
>   Content-Length: 5175
>   Content-Type: application/rdf+xml
>
> the browser is authorised to pass that profile on for use by the
> javascript that will display the info. Most linked data sites do not put
> such headers up, and so make it necessary then to develop CORS proxies
> (which that social_book application also uses).
>
>  It may be worth exploring this side of things a bit. Perhaps adding to
> the LDP Use Cases [3] a javascript based linked data browser could bring
> these issues up in the LDP Working Group.
>
> Some questions that come up from my little experience in this area are:
>  - should all public RDF resources always return
> Access-Control-Allow-Origin: * to all public resources?
>    ( I would tend to think so, because a simple proxy will always give
> access to that resource anyway )
>  - How does a server know which Origin JS agents to trust for a particular
> user? Since we are are working in a linked data environment that at its
> best spans many organisations how is the IBM linked data provider to know
> that it should trust my bblfish.net JS Agent to get a particular resource
> for me?
>    (my suggestions if I add :me cert:trustOrigin <https://bblfish.net> to
> my WebID profile? )
>  - what types of improvements to the identity of JS applications might in
> the long term help develop better apps? ( perhaps having signed JS apps? )
>
>  Henry
>
>
> [1] http://www.w3.org/TR/cors/
> [2] as done by Tabulator or the rdflib.js library published on github
>    https://github.com/linkeddata/
> [3] http://www.w3.org/2012/ldp/wiki/Use_Cases_And_Requirements
>
> Social Web Architect
> http://bblfish.net/
>
>
>

Received on Wednesday, 18 July 2012 19:22:19 UTC