- From: Toby Inkster <tai@g5n.co.uk>
- Date: Wed, 3 Nov 2010 21:57:01 +0000
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: RDFa WG <public-rdfa-wg@w3.org>
On Wed, 03 Nov 2010 16:37:07 -0400 Manu Sporny <msporny@digitalbazaar.com> wrote: > Just throwing this out there as I do think that we would want to > ensure that the browsers that implement RDFa Core "fail to load a > profile" when a profile is loaded from an HTTPS page in non-HTTPS > mode. It's really implementation guidance, but perhaps something that > should be placed into the RDFa API spec or the RDFa Core spec? However, "http:" profiles are probably OK on secure pages *if* the parser has hard-coded them. In addition to allowing "https:" profiles on secure pages, there are a few other URI schemes that should be safe to allow, if the library you're using to fetch URIs supports them: sftp: svn+ssh: scp: And "data:" URIs should also be safe to load from HTTPS pages, though it's not clear why anyone would want to. -- Toby A Inkster <mailto:mail@tobyinkster.co.uk> <http://tobyinkster.co.uk>
Received on Wednesday, 3 November 2010 21:57:29 UTC