W3C home > Mailing lists > Public > public-rdfa-wg@w3.org > November 2010

Re: DOM Tampering

From: Nathan <nathan@webr3.org>
Date: Thu, 25 Nov 2010 19:40:35 +0000
Message-ID: <4CEEBBB3.409@webr3.org>
To: Mark Birbeck <mark.birbeck@webbackplane.com>
CC: RDFA Working Group <public-rdfa-wg@w3.org>
The other approach is to try and get the unmodified DOM back from the 
browser, if HTTP cacheing is in place then one could simply GET it again 
and leverage document.implementation or xhr.responseXML to get an 
untouched DOM to parse.

There will probably be more approaches, but probably something we want 
to keep a watch on advise on.

Worth raising a bug / action?

Best,

Nathan

Mark Birbeck wrote:
> Very good point, Nathan (and Tom).
> 
> What about signing the data via a predicate? If it's absent, a strict
> parser might ignore the triples. And if it's present, its value must
> match a value computed in much the same way that XML Signatures [1]
> work...or perhaps a little simpler. ;)
> 
> In fact...Manu mentioned to me the other day that his company recently
> had need to sign instances of JSON-LD; perhaps we need to look at
> generalising whatever it was that they did.
> 
> Any thoughts on this, Manu? Did you add the signature as a predicate,
> or was it outside of the RDF?
> 
> (Once you've finished your turkey, of course.)
> 
> Mark
> 
> [1] <http://www.w3.org/TR/xmldsig-core/>
> 
> On Thu, Nov 25, 2010 at 3:53 PM, Nathan <nathan@webr3.org> wrote:
>> Hi All,
>>
>> If we lift RDFa from the DOM, and the DOM can be manipulated via JS before
>> lifting the RDF graph, then how does one trust the RDFa?
>>
>> Also, how should parsers treat <iframes>?
>>
>> Two interesting points via Tom Morris,
>>
>> Best,
>>
>> Nathan
>>
>>
> 
> 
Received on Thursday, 25 November 2010 19:41:44 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:05:22 UTC