Not waiting on browser manufacturers for RDFa 1.1 from Manu Sporny on 2010-07-09 (public-rdfa-wg@w3.org from July 2010)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Fri, 09 Jul 2010 09:22:16 -0400
To: RDFa WG <public-rdfa-wg@w3.org>
Message-ID: <4C372288.8090505@digitalbazaar.com>

One of the biggest concerns that I (and many others) have had about RDFa
1.1 is the requirement that external documents (RDFa Profiles) are
processed via Javascript.

As we all know, cross-domain access in Javascript is difficult to do at
the moment. XSS protections in browsers are necessary. CORS doesn't have
high market penetration at this point in time. So, implementing a pure
Javascript RDFa 1.1 parser is impossible without a proxy RDFa Profile
fetching proxy. Implementing a reliable proxy is not possible without
using CORS and using CORS is not available in more than 98% of all
browsers. Whatever solution we use has to protect against XSS attacks.

This has bothered me for some time and just last week while Shane and I
were talking about another implementation issue, a fairly robust
solution appeared:

http://www.w3.org/2010/02/rdfa/wiki/rdfa-flash

I don't know why it didn't hit me before because this is the solution
that we use in our company to do various different types of pure
Javascript, in-browser, peer-to-peer communication.

You can use a combination of Flash and a policy file to do cross-origin
stuff safely. It's basically CORS, but implemented in Flash, which means
that 98% of all browsers support it.

Yes, it is flash and it's proprietary, but this is a stop-gap solution
until the browser vendors integrate RDFa into the browser. Until that
day comes, we can use the cross-origin support built into Flash to
enable pure Javascript+Flash implementations of RDFa 1.1 Processors.

We can protect against XSS attacks by having an RDFa Profile fetching
service out there that parses and caches RDFa profile triples and only
returns tokens in the RDFa Vocabulary specific to terms and prefixes. It
could return the data in JSON-LD[1] format. While this solution isn't
scalable, it would provide a stop-gap solution that would allow us to
demonstrate the power of RDFa using Javascript-only libraries.

-- manu

[1] http://rdfa.digitalbazaar.com/specs/source/json-ld/

-- 
Manu Sporny (skype: msporny, twitter: manusporny)
President/CEO - Digital Bazaar, Inc.
blog: Myth Busting Web Stacks - PHP is Faster Than You Think
http://blog.digitalbazaar.com/2010/06/12/myth-busting-php/2/

Received on Friday, 9 July 2010 13:22:46 UTC