W3C home > Mailing lists > Public > www-tag@w3.org > May 2010

Re: Cross site scripting: CORS and a Javascript library accessing Linked Data

From: Nathan <nathan@webr3.org>
Date: Mon, 10 May 2010 22:34:57 +0100
Message-ID: <4BE87C01.2000107@webr3.org>
To: Tim Berners-Lee <timbl@w3.org>
CC: TAG List <www-tag@w3.org>, James D Hollenbach <jambo@MIT.EDU>, jeni@jenitennison.com, Melvin Carvalho <melvincarvalho@gmail.com>
Tim Berners-Lee wrote:
> In mid:4BE7BF59.9010204@webr3.org 
> aka http://lists.w3.org/Archives/Public/www-tag/2010May/0009.html
> on 2010-05 -10, at 04:10, Nathan wrote:
> 
>> All,
> 
> [...lots of cool stuff about making JS client talk to sem web backend ...]
> 
>> Thus far the only thing I can see that comes any where near to addressing is the work in progress Cross-Origin Resource Sharing [1] but afaik it's only implemented in the newest browsers + the vast majority of resources on the web don't have these headers set so again the application wouldn't be able to access most data - rendering any apps made very limited and virtually useless - which imho is a huge shame since all the peices needed are ready and waiting on billions(?) of machines.
> 
> Well, machines which serve public data must now serve the two (why two?!) HTTP headers for CORS.

could the CORS model be tweaked so that all access is public, unless a 
resource limit's it via the headers?

any idea of the ratio of sites / resource that need it vs those that don't?

> Just lean on data sources you know to do this.  And people have to use new browsers to get new functionality.

Will do - going to send a note out to public-lod and key vendors 
(talis/openlink etc) in a moment to ask that everybody publishing linked 
open data makes a move to add the headers.

> Note if they run an add-on, like Tabulator, then they skip this problem as the code is
> deemed trusted.  

noted :) it's a shame code signing is only mozilla specific (afaik)

>> I may be going down the wrong track here, but it feels like the correct path to persue, the next logical step for read write web, and is fully supported even by old browsers like ie6, all apart from this XSS issue.
>>
>> side: I've not looked in to FOAF+SSL through a Proxy, but it may be an option to mount a proxy on the same domain as the application and utilize it(?) - not ideal, no idea if it could work [head scratching]
> 
> Jim Hollenbach (Ccd) has just gone through exactly the thought process you did.
> He has made a JS widget library which you just point at linked data or SPARQL.
> Jim, could you send Nathan a draft of your thesis?

Fantastic, please do Jim.

Tim, all, I've noted there are a lot of JS resources in the online 
tabulator written by yourself and Joe etc, are they free to 
modify/hack/port etc?

> Nathan, Jim has made an open source RDF library which does basically exactly what you want with client-side Jquery-style query of the local store or
> a remote SPARQL endpoint, with the JQuery API copied from Jeni Tennison's library, run over the quad store from the Tabulator library.
> Jim has battles the CORS monster and has experience as to when it works and when it doesn't.

Great, I'd hoped this mail would lead em to people already doing it and 
a few steps ahead :)

> Jim's work is open source and Id encourage you to rip it or ideally co-develop it.

co-develop sounds great to me, hopefully Melvin will feel the same.

RDF/JSON is up for discussion at the RDF workshop isn't it? would be 
great to have a standard for this serialization. On the same note, is 
there any scope or work for including (multiple) named graphs in rdf, or 
a json/n3 or..?

> We could do with a version of the linked data bubble diagram with the systems which support CORS in green. Anyone?
> 
>> Any input, ideas, places to turn?
>>
>> [1] http://www.w3.org/TR/cors/
>>

Many thanks,

Nathan
Received on Monday, 10 May 2010 21:36:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:20 GMT