Re: Possible issue w/ @profile and http vs. https

On Wed, 03 Nov 2010 16:37:07 -0400
Manu Sporny <msporny@digitalbazaar.com> wrote:

> Just throwing this out there as I do think that we would want to
> ensure that the browsers that implement RDFa Core "fail to load a
> profile" when a profile is loaded from an HTTPS page in non-HTTPS
> mode. It's really implementation guidance, but perhaps something that
> should be placed into the RDFa API spec or the RDFa Core spec?

However, "http:" profiles are probably OK on secure pages *if* the
parser has hard-coded them.

In addition to allowing "https:" profiles on secure pages, there are a
few other URI schemes that should be safe to allow, if the library
you're using to fetch URIs supports them:

	sftp:
	svn+ssh:
	scp:

And "data:" URIs should also be safe to load from HTTPS pages, though
it's not clear why anyone would want to.

-- 
Toby A Inkster
<mailto:mail@tobyinkster.co.uk>
<http://tobyinkster.co.uk>

Received on Wednesday, 3 November 2010 21:57:29 UTC