- From: Henry Story <henry.story@bblfish.net>
- Date: Tue, 17 Jul 2012 11:07:25 +0200
- To: public-ldp-wg@w3.org
Hi, I think as mentioned previously LDP does require some form of authentication, as it allows non-idempotent methods such as POST, PUT & DELETE . This means that there will be some interesting things to think about relating to CORS [1] One application of an LDP server would be to have a javascript client [2] be able to crawl RDF linked data in order to build up a user interface. I have a really simple example that kind-of™ works. http://bblfish.github.com/rdflib.js/example/people/social_book.html The page contains no data just a reference to my foaf profile, which is how it fills in the user info and the first column of the Social Book. If you click on some users, such as "Joe Presbrey" the javascript will make an XHR request to his WebID Profile http://presbrey.mit.edu/foaf, which since it contains the right headers especially the "Access-Control-Allow-Origin: *" $ curl -I http://presbrey.mit.edu/foaf HTTP/1.1 200 OK Date: Tue, 17 Jul 2012 08:35:03 GMT Server: Apache Access-Control-Allow-Origin: * Last-Modified: Tue, 20 Dec 2011 01:02:36 GMT ETag: "43c4058c-1437-4b47b9f740300" Accept-Ranges: bytes Content-Length: 5175 Content-Type: application/rdf+xml the browser is authorised to pass that profile on for use by the javascript that will display the info. Most linked data sites do not put such headers up, and so make it necessary then to develop CORS proxies (which that social_book application also uses). It may be worth exploring this side of things a bit. Perhaps adding to the LDP Use Cases [3] a javascript based linked data browser could bring these issues up in the LDP Working Group. Some questions that come up from my little experience in this area are: - should all public RDF resources always return Access-Control-Allow-Origin: * to all public resources? ( I would tend to think so, because a simple proxy will always give access to that resource anyway ) - How does a server know which Origin JS agents to trust for a particular user? Since we are are working in a linked data environment that at its best spans many organisations how is the IBM linked data provider to know that it should trust my bblfish.net JS Agent to get a particular resource for me? (my suggestions if I add :me cert:trustOrigin <https://bblfish.net> to my WebID profile? ) - what types of improvements to the identity of JS applications might in the long term help develop better apps? ( perhaps having signed JS apps? ) Henry [1] http://www.w3.org/TR/cors/ [2] as done by Tabulator or the rdflib.js library published on github https://github.com/linkeddata/ [3] http://www.w3.org/2012/ldp/wiki/Use_Cases_And_Requirements Social Web Architect http://bblfish.net/
Received on Tuesday, 17 July 2012 09:08:16 UTC