W3C home > Mailing lists > Public > public-rdfa-wg@w3.org > November 2010

Re: Possible issue w/ @profile and http vs. https

From: Toby Inkster <tai@g5n.co.uk>
Date: Wed, 3 Nov 2010 21:57:01 +0000
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: RDFa WG <public-rdfa-wg@w3.org>
Message-ID: <20101103215701.4f2c7e4a@miranda.g5n.co.uk>
On Wed, 03 Nov 2010 16:37:07 -0400
Manu Sporny <msporny@digitalbazaar.com> wrote:

> Just throwing this out there as I do think that we would want to
> ensure that the browsers that implement RDFa Core "fail to load a
> profile" when a profile is loaded from an HTTPS page in non-HTTPS
> mode. It's really implementation guidance, but perhaps something that
> should be placed into the RDFa API spec or the RDFa Core spec?

However, "http:" profiles are probably OK on secure pages *if* the
parser has hard-coded them.

In addition to allowing "https:" profiles on secure pages, there are a
few other URI schemes that should be safe to allow, if the library
you're using to fetch URIs supports them:

	sftp:
	svn+ssh:
	scp:

And "data:" URIs should also be safe to load from HTTPS pages, though
it's not clear why anyone would want to.

-- 
Toby A Inkster
<mailto:mail@tobyinkster.co.uk>
<http://tobyinkster.co.uk>
Received on Wednesday, 3 November 2010 21:57:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:05:22 UTC