W3C home > Mailing lists > Public > www-tag@w3.org > May 2010

Cross site scripting: CORS and a Javascript library accessing Linked Data

From: Tim Berners-Lee <timbl@w3.org>
Date: Mon, 10 May 2010 12:01:37 -0400
Cc: TAG List <www-tag@w3.org>, James D Hollenbach <jambo@MIT.EDU>, jeni@jenitennison.com
Message-Id: <F16791FE-A5F3-4B67-82E1-A996538B37B3@w3.org>
To: nathan@webr3.org
In mid:4BE7BF59.9010204@webr3.org 
aka http://lists.w3.org/Archives/Public/www-tag/2010May/0009.html
on 2010-05 -10, at 04:10, Nathan wrote:

> All,

[...lots of cool stuff about making JS client talk to sem web backend ...]

> Thus far the only thing I can see that comes any where near to addressing is the work in progress Cross-Origin Resource Sharing [1] but afaik it's only implemented in the newest browsers + the vast majority of resources on the web don't have these headers set so again the application wouldn't be able to access most data - rendering any apps made very limited and virtually useless - which imho is a huge shame since all the peices needed are ready and waiting on billions(?) of machines.

Well, machines which serve public data must now serve the two (why two?!) HTTP headers for CORS.
Just lean on data sources you know to do this.  And people have to use new browsers to get new functionality.

Note if they run an add-on, like Tabulator, then they skip this problem as the code is
deemed trusted.  


> I may be going down the wrong track here, but it feels like the correct path to persue, the next logical step for read write web, and is fully supported even by old browsers like ie6, all apart from this XSS issue.
> 
> side: I've not looked in to FOAF+SSL through a Proxy, but it may be an option to mount a proxy on the same domain as the application and utilize it(?) - not ideal, no idea if it could work [head scratching]

Jim Hollenbach (Ccd) has just gone through exactly the thought process you did.
He has made a JS widget library which you just point at linked data or SPARQL.
Jim, could you send Nathan a draft of your thesis?

Nathan, Jim has made an open source RDF library which does basically exactly what you want with client-side Jquery-style query of the local store or
a remote SPARQL endpoint, with the JQuery API copied from Jeni Tennison's library, run over the quad store from the Tabulator library.
Jim has battles the CORS monster and has experience as to when it works and when it doesn't.

Jim's work is open source and Id encourage you to rip it or ideally co-develop it.

We could do with a version of the linked data bubble diagram with the systems which support CORS in green. Anyone?

> 
> Any input, ideas, places to turn?
> 
> [1] http://www.w3.org/TR/cors/
> 
> Best,
> 
> Nathan
> 
> 
Received on Monday, 10 May 2010 16:01:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:20 GMT