W3C home > Mailing lists > Public > www-tag@w3.org > May 2010

Re: Cross site scripting: CORS and a Javascript library accessing Linked Data

From: Nathan <nathan@webr3.org>
Date: Tue, 11 May 2010 05:42:31 +0100
Message-ID: <4BE8E037.2050800@webr3.org>
To: Tim Berners-Lee <timbl@w3.org>
CC: TAG List <www-tag@w3.org>, James D Hollenbach <jambo@MIT.EDU>, Anne van Kesteren <annevk@opera.com>, Jeni Tennison <jeni@jenitennison.com>
fyi - regarding the below:

http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0553.html

probably wrong & most likely will be ignored, but the above is where I 
see this going - small~ish localized issue now, huge issue in the long term.

Best Regards - thanks for the response Tim & look forward to hearing 
from you soon James.

Nathan

Tim Berners-Lee wrote:
> In mid:4BE7BF59.9010204@webr3.org 
> aka http://lists.w3.org/Archives/Public/www-tag/2010May/0009.html
> on 2010-05 -10, at 04:10, Nathan wrote:
> 
>> All,
> 
> [...lots of cool stuff about making JS client talk to sem web backend ...]
> 
>> Thus far the only thing I can see that comes any where near to addressing is the work in progress Cross-Origin Resource Sharing [1] but afaik it's only implemented in the newest browsers + the vast majority of resources on the web don't have these headers set so again the application wouldn't be able to access most data - rendering any apps made very limited and virtually useless - which imho is a huge shame since all the peices needed are ready and waiting on billions(?) of machines.
> 
> Well, machines which serve public data must now serve the two (why two?!) HTTP headers for CORS.
> Just lean on data sources you know to do this.  And people have to use new browsers to get new functionality.
> 
> Note if they run an add-on, like Tabulator, then they skip this problem as the code is
> deemed trusted.  
> 
> 
>> I may be going down the wrong track here, but it feels like the correct path to persue, the next logical step for read write web, and is fully supported even by old browsers like ie6, all apart from this XSS issue.
>>
>> side: I've not looked in to FOAF+SSL through a Proxy, but it may be an option to mount a proxy on the same domain as the application and utilize it(?) - not ideal, no idea if it could work [head scratching]
> 
> Jim Hollenbach (Ccd) has just gone through exactly the thought process you did.
> He has made a JS widget library which you just point at linked data or SPARQL.
> Jim, could you send Nathan a draft of your thesis?
> 
> Nathan, Jim has made an open source RDF library which does basically exactly what you want with client-side Jquery-style query of the local store or
> a remote SPARQL endpoint, with the JQuery API copied from Jeni Tennison's library, run over the quad store from the Tabulator library.
> Jim has battles the CORS monster and has experience as to when it works and when it doesn't.
> 
> Jim's work is open source and Id encourage you to rip it or ideally co-develop it.
> 
> We could do with a version of the linked data bubble diagram with the systems which support CORS in green. Anyone?
> 
>> Any input, ideas, places to turn?
>>
>> [1] http://www.w3.org/TR/cors/
>>
>> Best,
>>
>> Nathan
>>
>>
> 
> 
> 
> 
Received on Tuesday, 11 May 2010 04:43:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:20 GMT