Re: Not waiting on browser manufacturers for RDFa 1.1 from Shane McCarron on 2010-07-09 (public-rdfa-wg@w3.org from July 2010)

From: Shane McCarron <shane@aptest.com>
Date: Fri, 09 Jul 2010 09:30:32 -0500
To: Dan Brickley <danbri@danbri.org>
CC: Manu Sporny <msporny@digitalbazaar.com>, RDFa WG <public-rdfa-wg@w3.org>
Message-ID: <4C373288.4030003@aptest.com>

Brilliant - thanks Dan!

On 7/9/2010 8:38 AM, Dan Brickley wrote:
> On Fri, Jul 9, 2010 at 3:22 PM, Manu Sporny<msporny@digitalbazaar.com>  wrote:
>    
>> One of the biggest concerns that I (and many others) have had about RDFa
>> 1.1 is the requirement that external documents (RDFa Profiles) are
>> processed via Javascript.
>>
>> As we all know, cross-domain access in Javascript is difficult to do at
>> the moment. XSS protections in browsers are necessary. CORS doesn't have
>> high market penetration at this point in time. So, implementing a pure
>> Javascript RDFa 1.1 parser is impossible without a proxy RDFa Profile
>> fetching proxy. Implementing a reliable proxy is not possible without
>> using CORS and using CORS is not available in more than 98% of all
>> browsers. Whatever solution we use has to protect against XSS attacks.
>>
>> This has bothered me for some time and just last week while Shane and I
>> were talking about another implementation issue, a fairly robust
>> solution appeared:
>>
>> http://www.w3.org/2010/02/rdfa/wiki/rdfa-flash
>>
>> I don't know why it didn't hit me before because this is the solution
>> that we use in our company to do various different types of pure
>> Javascript, in-browser, peer-to-peer communication.
>>
>> You can use a combination of Flash and a policy file to do cross-origin
>> stuff safely. It's basically CORS, but implemented in Flash, which means
>> that 98% of all browsers support it.
>>      
> Seems like a good bridging strategy. FWIW this is what Strophe.js uses
> for x-site XMPP/BOSH comms, http://code.stanziq.com/strophe/ ->
> http://flxhr.flensed.com/
>
> "flXHR [flĕkʹsər],(flex-er) is a *client-based* cross-browser,
> XHR-compatible tool for cross-domain Ajax (Flash) communication. It
> utilizes an invisible flXHR.swf instance that acts as sort of a
> client-side proxy for requests, combined with a Javascript
> object/module wrapper that exposes an identical interface to the
> native XMLHttpRequest (XHR) browser object, with a few helpful
> additions and a couple of minor limitations (see the documentation for
> more details)."
>
> Dan
>
>    

-- 
Shane P. McCarron                          Phone: +1 763 786-8160 x120
Managing Director                            Fax: +1 763 786-8180
ApTest Minnesota                            Inet: shane@aptest.com

Received on Friday, 9 July 2010 14:31:20 UTC