- From: Toby Inkster <tai@g5n.co.uk>
- Date: Fri, 09 Jul 2010 17:16:51 +0100
- To: RDFa WG <public-rdfa-wg@w3.org>
On Fri, 2010-07-09 at 14:46 +0100, Mark Birbeck wrote: > But as I said way back during the discussions on profile, if you allow > profiles to be defined using JSON then you don't have this problem. Mark, I know you know this, but it's good to be clear... JSON does *not* allow you to circumvent browser cross-origin policies; JSONP does. Why is this an important distinction? Because JSONP is essentially a profile of Javascript. You bypass browser cross-origin policies because instead of fetching the profile, you embed (and thus execute) the profile as a script. While in practise there may be situations where this is a reasonable way to operate, executing unchecked third-party scripts carries a pretty big risk. I imagine that if we recommended this technique in the spec, there'd be a lot of pushback. -- Toby A Inkster <mailto:mail@tobyinkster.co.uk> <http://tobyinkster.co.uk> -- Toby A Inkster <mailto:mail@tobyinkster.co.uk> <http://tobyinkster.co.uk>
Received on Friday, 9 July 2010 16:17:34 UTC