W3C home > Mailing lists > Public > www-tag@w3.org > May 2010

Re: Cross site scripting: CORS and a Javascript library accessing Linked Data

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Mon, 10 May 2010 23:57:36 +0200
Message-ID: <AANLkTildB5jb67mVwRF40qDiHx7Uxic1GbSi6GYBy9pG@mail.gmail.com>
To: nathan@webr3.org
Cc: Tim Berners-Lee <timbl@w3.org>, TAG List <www-tag@w3.org>, James D Hollenbach <jambo@mit.edu>, jeni@jenitennison.com
2010/5/10 Nathan <nathan@webr3.org>

> Tim Berners-Lee wrote:
>
>> In mid:4BE7BF59.9010204@webr3.org <mid%3A4BE7BF59.9010204@webr3.org> aka
>> http://lists.w3.org/Archives/Public/www-tag/2010May/0009.html
>> on 2010-05 -10, at 04:10, Nathan wrote:
>>
>>  All,
>>>
>>
>> [...lots of cool stuff about making JS client talk to sem web backend ...]
>>
>>  Thus far the only thing I can see that comes any where near to addressing
>>> is the work in progress Cross-Origin Resource Sharing [1] but afaik it's
>>> only implemented in the newest browsers + the vast majority of resources on
>>> the web don't have these headers set so again the application wouldn't be
>>> able to access most data - rendering any apps made very limited and
>>> virtually useless - which imho is a huge shame since all the peices needed
>>> are ready and waiting on billions(?) of machines.
>>>
>>
>> Well, machines which serve public data must now serve the two (why two?!)
>> HTTP headers for CORS.
>>
>
> could the CORS model be tweaked so that all access is public, unless a
> resource limit's it via the headers?
>
> any idea of the ratio of sites / resource that need it vs those that don't?
>
>
>  Just lean on data sources you know to do this.  And people have to use new
>> browsers to get new functionality.
>>
>
> Will do - going to send a note out to public-lod and key vendors
> (talis/openlink etc) in a moment to ask that everybody publishing linked
> open data makes a move to add the headers.
>
>
>  Note if they run an add-on, like Tabulator, then they skip this problem as
>> the code is
>> deemed trusted.
>>
>
> noted :) it's a shame code signing is only mozilla specific (afaik)
>
>
>  I may be going down the wrong track here, but it feels like the correct
>>> path to persue, the next logical step for read write web, and is fully
>>> supported even by old browsers like ie6, all apart from this XSS issue.
>>>
>>> side: I've not looked in to FOAF+SSL through a Proxy, but it may be an
>>> option to mount a proxy on the same domain as the application and utilize
>>> it(?) - not ideal, no idea if it could work [head scratching]
>>>
>>
>> Jim Hollenbach (Ccd) has just gone through exactly the thought process you
>> did.
>> He has made a JS widget library which you just point at linked data or
>> SPARQL.
>> Jim, could you send Nathan a draft of your thesis?
>>
>
> Fantastic, please do Jim.
>
> Tim, all, I've noted there are a lot of JS resources in the online
> tabulator written by yourself and Joe etc, are they free to modify/hack/port
> etc?
>
>
>  Nathan, Jim has made an open source RDF library which does basically
>> exactly what you want with client-side Jquery-style query of the local store
>> or
>> a remote SPARQL endpoint, with the JQuery API copied from Jeni Tennison's
>> library, run over the quad store from the Tabulator library.
>> Jim has battles the CORS monster and has experience as to when it works
>> and when it doesn't.
>>
>
> Great, I'd hoped this mail would lead em to people already doing it and a
> few steps ahead :)
>
>
>  Jim's work is open source and Id encourage you to rip it or ideally
>> co-develop it.
>>
>
> co-develop sounds great to me, hopefully Melvin will feel the same.
>

Yes, definitely!  Already talking to Joe & co. about collaboration, so would
love to help out / combine efforts where I can ... oshani has also kindly
pointed me to the hg repo ...


>
> RDF/JSON is up for discussion at the RDF workshop isn't it? would be great
> to have a standard for this serialization. On the same note, is there any
> scope or work for including (multiple) named graphs in rdf, or a json/n3
> or..?
>
>
>  We could do with a version of the linked data bubble diagram with the
>> systems which support CORS in green. Anyone?
>>
>>  Any input, ideas, places to turn?
>>>
>>> [1] http://www.w3.org/TR/cors/
>>>
>>>
> Many thanks,
>
> Nathan
>
Received on Monday, 10 May 2010 21:58:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:20 GMT