- From: Mark Birbeck <mark.birbeck@webbackplane.com>
- Date: Fri, 16 Jul 2010 17:22:03 +0100
- To: Shane McCarron <shane@aptest.com>
- Cc: Toby Inkster <tai@g5n.co.uk>, RDFa WG <public-rdfa-wg@w3.org>
Hi Shane, > Which is EXACTLY why we rejected it as a required format. If it's something you want to > support in your implementation, I say go for it. But I think it is way too high a risk. I > would MUCH rather have this flash hack coupled with a CORS-aware proxy as a backup > service. At least this way we are only delivering (X)HTML files that are then being parsed. > No room for random stuff to be injected into my Javascript runtime environment. The primary part of my proposal was always that having an RDF vocabulary to define prefix mappings is overkill, and that name-value pairs is sufficient. I then proposed that it made sense to express these name/value pairs using JSON. Unfortunately, I then went too far and said that by the way, this also allows us to retrieve profiles across domains. The whole cross-domain issue then got brought to the fore, but the problem then is that we are no longer comparing like with like. It's true that using a JSON format for profiles does indeed allow for the cross-domain problem to be solved, if JSONP is used to allow the browser to get a handle on the JSON. But as we know, that also leaves a security hole, since you can't control what is going to be executed in the JSONP. However, since there is no other way to do cross-domain profiles in a browser, without using techniques that are not yet widespread (CORS, postMessage(), etc.), then if we ignore JSONP we only put JSON on a par with HTML+RDFa -- we don't make it inferior. In other words, a JSON format for profiles is no less secure than an HTML+RDFa format if JSONP is taken out of the picture, whilst it's a lot quicker and simpler to obtain the prefix mappings from. Regards, Mark -- Mark Birbeck, webBackplane mark.birbeck@webBackplane.com http://webBackplane.com/mark-birbeck webBackplane is a trading name of Backplane Ltd. (company number 05972288, registered office: 2nd Floor, 69/85 Tabernacle Street, London, EC2A 4RR)
Received on Friday, 16 July 2010 16:22:38 UTC