Re: Not waiting on browser manufacturers for RDFa 1.1 from Dan Brickley on 2010-07-09 (public-rdfa-wg@w3.org from July 2010)

From: Dan Brickley <danbri@danbri.org>
Date: Fri, 9 Jul 2010 15:38:46 +0200
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: RDFa WG <public-rdfa-wg@w3.org>
Message-ID: <AANLkTikOGQ2F-sUcJaPLeRf5qlsJG97Q0b97-M06DtXq@mail.gmail.com>

On Fri, Jul 9, 2010 at 3:22 PM, Manu Sporny <msporny@digitalbazaar.com> wrote:
> One of the biggest concerns that I (and many others) have had about RDFa
> 1.1 is the requirement that external documents (RDFa Profiles) are
> processed via Javascript.
>
> As we all know, cross-domain access in Javascript is difficult to do at
> the moment. XSS protections in browsers are necessary. CORS doesn't have
> high market penetration at this point in time. So, implementing a pure
> Javascript RDFa 1.1 parser is impossible without a proxy RDFa Profile
> fetching proxy. Implementing a reliable proxy is not possible without
> using CORS and using CORS is not available in more than 98% of all
> browsers. Whatever solution we use has to protect against XSS attacks.
>
> This has bothered me for some time and just last week while Shane and I
> were talking about another implementation issue, a fairly robust
> solution appeared:
>
> http://www.w3.org/2010/02/rdfa/wiki/rdfa-flash
>
> I don't know why it didn't hit me before because this is the solution
> that we use in our company to do various different types of pure
> Javascript, in-browser, peer-to-peer communication.
>
> You can use a combination of Flash and a policy file to do cross-origin
> stuff safely. It's basically CORS, but implemented in Flash, which means
> that 98% of all browsers support it.

Seems like a good bridging strategy. FWIW this is what Strophe.js uses
for x-site XMPP/BOSH comms, http://code.stanziq.com/strophe/ ->
http://flxhr.flensed.com/

"flXHR [flĕkʹsər],(flex-er) is a *client-based* cross-browser,
XHR-compatible tool for cross-domain Ajax (Flash) communication. It
utilizes an invisible flXHR.swf instance that acts as sort of a
client-side proxy for requests, combined with a Javascript
object/module wrapper that exposes an identical interface to the
native XMLHttpRequest (XHR) browser object, with a few helpful
additions and a couple of minor limitations (see the documentation for
more details)."

Dan

Received on Friday, 9 July 2010 13:39:20 UTC