- From: Toby Inkster <tai@g5n.co.uk>
- Date: Tue, 01 Dec 2009 09:16:11 +0000
- To: Mark Birbeck <mark.birbeck@webbackplane.com>
- Cc: Christoph LANGE <ch.lange@jacobs-university.de>, Ivan Herman <ivan@w3.org>, RDFa Developers <public-rdf-in-xhtml-tf@w3.org>
On Tue, 2009-12-01 at 08:48 +0000, Mark Birbeck wrote: > Right...but as I say, a JavaScript parser running in a browser would > not be able to retrieve those RDFa documents, if they were in a > different domain to the main document. > > So even if we do support that, I think we need to do it in a way that > also supports a JSON solution. XHR requests are domain-restricted. This is the case whether the profiles are in XML, XHTML or plain text. JSON doesn't change that. So called "JSON-P" (which is actually Javascript, not JSON) provides a workaround, but also opens a gaping security hole as it allows the server you're reading from to inject arbitrary Javascript code into your document. If your document contains any private data (e.g. you're using RDFa on pages containing your company's internal data on a page that's behind a corporate firewall) then a malevolent JSON-P profile could be used to steal that data. -- Toby A Inkster <mailto:mail@tobyinkster.co.uk> <http://tobyinkster.co.uk>
Received on Tuesday, 1 December 2009 09:16:55 UTC