W3C home > Mailing lists > Public > public-ldp-wg@w3.org > July 2012

Linked Data Profile and CORS

From: Henry Story <henry.story@bblfish.net>
Date: Tue, 17 Jul 2012 11:07:25 +0200
Message-Id: <BF9AAA52-9E8B-4261-980A-02BC77265592@bblfish.net>
To: public-ldp-wg@w3.org

   I think as mentioned previously LDP does require some form of authentication, as it allows non-idempotent methods such as POST, PUT & DELETE . This means that there will be some interesting things to think about relating to CORS [1]

   One application of an LDP server would be to have a javascript client [2] be able to crawl RDF linked data in order to build up a user interface. I have a really simple example that kind-of™ works.


  The page contains no data just a reference to my foaf profile, which is how it fills in the user info and the first column of the Social Book. If you click on some users, such as "Joe Presbrey" the javascript will make an XHR request to his WebID Profile http://presbrey.mit.edu/foaf, which since it contains the right headers especially the "Access-Control-Allow-Origin: *"

 $ curl -I http://presbrey.mit.edu/foaf
   HTTP/1.1 200 OK
   Date: Tue, 17 Jul 2012 08:35:03 GMT
   Server: Apache
   Access-Control-Allow-Origin: *
   Last-Modified: Tue, 20 Dec 2011 01:02:36 GMT
   ETag: "43c4058c-1437-4b47b9f740300"
   Accept-Ranges: bytes
   Content-Length: 5175
   Content-Type: application/rdf+xml

the browser is authorised to pass that profile on for use by the javascript that will display the info. Most linked data sites do not put such headers up, and so make it necessary then to develop CORS proxies (which that social_book application also uses). 

  It may be worth exploring this side of things a bit. Perhaps adding to the LDP Use Cases [3] a javascript based linked data browser could bring these issues up in the LDP Working Group. 

Some questions that come up from my little experience in this area are:
  - should all public RDF resources always return Access-Control-Allow-Origin: * to all public resources?
    ( I would tend to think so, because a simple proxy will always give access to that resource anyway )
  - How does a server know which Origin JS agents to trust for a particular user? Since we are are working in a linked data environment that at its best spans many organisations how is the IBM linked data provider to know that it should trust my bblfish.net JS Agent to get a particular resource for me?
    (my suggestions if I add :me cert:trustOrigin <https://bblfish.net> to my WebID profile? )
  - what types of improvements to the identity of JS applications might in the long term help develop better apps? ( perhaps having signed JS apps? )

[1] http://www.w3.org/TR/cors/
[2] as done by Tabulator or the rdflib.js library published on github 
[3] http://www.w3.org/2012/ldp/wiki/Use_Cases_And_Requirements

Social Web Architect
Received on Tuesday, 17 July 2012 09:08:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:17:30 UTC