- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Fri, 09 Jul 2010 17:12:47 -0400
- To: RDFa WG <public-rdfa-wg@w3.org>
On 07/09/10 13:44, Mark Birbeck wrote: > Yes, you're probably right...all the people who campaigned long and > hard against using JSON in Flickr, Google Maps, Twitter, Yahoo!, and > so on, will no doubt be so buoyed by their success that they will > switch their attention to us. I'm assuming that you're being facetious, but there is a point that is left un-made in your remark. Toby and Shane are absolutely correct - we didn't use JSONP because it is a massive security hole to do so. Executing /any/ RDFa vocabulary as Javascript is an unacceptable security risk. I don't know if you know a way around this, because if so, please do let us know. The difference between Flickr, Google Maps, Twitter, Yahoo! and other large establish companies that people trust and some random vocabulary developer should be self-evident. There are certain URLs that you can trust most of the time (like well-known URLs for jQuery caching provided by Google) and there are URLs that you can't trust - like trojan vocabularies that people have developed and tricked others into using. Here's the nightmare scenario, if it wasn't evident already: Your bank has RDFa information in your account page - account details, balances, etc. They're using a 3rd party RDFa parser that loads vocabularies via <script> tags and JSONP. Their developers include an extra vocabulary via @profile that loads a profile from a 3rd party site. The 3rd party site gets compromised in some way, still provides the correct term mappings, but also sniffs which site you're on and what content is on the page. If it detects that you're on your bank's website, it encodes your account details in a URL and does an XMLHttpRequest GET to a site that collects all of your banking data. Worse, it puts a window on the page that says that you've been logged out and to enter your username and password to log back into the site. This was the reason we rejected JSONP as a solution for RDFa Profiles - it is a massive security hole. We have a duty to the Web community to create solutions that are not only useful, but also secure and that won't violate their trust in the Web. As I mentioned previously, perhaps you have a solution for this particular attack... I'd love to hear it if you do. :) -- manu -- Manu Sporny (skype: msporny, twitter: manusporny) President/CEO - Digital Bazaar, Inc. blog: Myth Busting Web Stacks - PHP is Faster Than You Think http://blog.digitalbazaar.com/2010/06/12/myth-busting-php/2/
Received on Friday, 9 July 2010 21:13:17 UTC