Re: RDFa Vocabularies from Ivan Herman on 2010-01-13 (public-rdf-in-xhtml-tf@w3.org from January 2010)

From: Ivan Herman <ivan@w3.org>
Date: Wed, 13 Jan 2010 09:55:29 +0100
To: Manu Sporny <msporny@digitalbazaar.com>
CC: RDFa mailing list <public-rdf-in-xhtml-tf@w3.org>
Message-ID: <4B4D8A81.4060808@w3.org>

Pfew:-) That makes the whole approach much more realistic! If we rely on
RDFa serialization on the vocabulary format than the load on
implementers is much less.

Yes, I might look into implementing this as a test:-)

ivan

On 2010-1-12 19:30 , Manu Sporny wrote:
> Philip Taylor wrote:
>>> That is a tall order. I am not a JS expert but isn't it correct that
>>> this restrictions is deeply rooted in the browser environment?
>>
>> If I'm understanding the discussion correctly, then the problem is that
>> browser security is based on the same-origin policy, which means scripts
>> running on a page generally can't access data from a different origin
>> (where "origin" is basically domain+port+scheme). So a script that's
>> used on http://whatever.example/ can't access data from
>> http://example.org/vocab (because that would allow the first site to
>> access private data on the user's intranet, or private data that other
>> sites associate with the user via cookies).
>>
>> CORS (http://dev.w3.org/2006/waf/access-control/) allows servers to
>> relax that restriction, so example.org could be configured to allow
>> access from anyone, in which case it could be read with XMLHttpRequest
>> (in Firefox 3.5+ and Safari 4+; and with XDomainRequest in IE8+).
>>
>> I'd expect an API like getVocabulary that doesn't use CORS and ignores
>> the same-origin policy would be rejected as insecure, since it can be
>> used to reveal information that would otherwise be inaccessible to scripts.
> 
> Our CTO and I just had a side discussion about CORS, resulting with each
> of us reading the updated spec. After reading through it, we both agree
> with Philip - that whatever mechanism is used should probably be, or at
> least be based on, CORS.
> 
> If we depend on CORS, then a simple XMLHttpRequest would work to
> retrieve the remote RDFa Vocabulary document (as long as the remote
> server is configured to respond with "Access-Control-Allow-Origin: *"
> when attempting to retrieve the vocabulary document). Also note that
> this issue only applies to RDFa Vocabularies that are not kept on the
> same server as the HTML+RDFa document.
> 
> So CORS+XMLHttpRequest is a good solution to ensure that RDFa Javascript
> implementations are still possible for RDFa 1.1 in all of the current,
> popular web browsers. Thanks, Philip :)
> 
> -- manu
> 

-- 

Ivan Herman, W3C Semantic Web Activity Lead
Home: http://www.w3.org/People/Ivan/
mobile: +31-641044153
PGP Key: http://www.ivan-herman.net/pgpkey.html
FOAF   : http://www.ivan-herman.net/foaf.rdf
vCard  : http://www.ivan-herman.net/HermanIvan.vcf

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Wednesday, 13 January 2010 08:54:49 UTC