Solving the "Deep Linking" (bookmarkability) problem in RWW for single page applications from Sébastien Lorber on 2013-12-27 (public-rww@w3.org from December 2013)

From: Sébastien Lorber <sebastien@stample.co>
Date: Fri, 27 Dec 2013 22:15:23 +0100
To: public-rww@w3.org
Message-ID: <CAFyaO_mSu4Ynd57C6k+8je+Qhni7PodGabiOz2igqnWaXgkr4g@mail.gmail.com>
Hi all,

I'm working with Henry and I'm trying to build a Single Page Application
(SPA) that can navigate to the RWW.
I can't find an elegant way to handle deep linking (possibility to
bookmark/share the url) without reloading the whole page, which is not
really a modern user experience.



Suppose I have an RDF resource located at http://sub.rwwserver.io/resource

The server actually detects that it's a browser with Accept prefering html
content, so it sends some generic html page with some JS in it that will
refetch the resource in RDF format, and startup the SinglePageApp to render
that RDF graph.

This is a SinglePageApp so we aim to not refresh the page and reload the
app as we navigate through the RDF graphs.


If this resource is a foaf profile:
http://sub.rwwserver.io/profile
Then on my SPA can eventually click on a friend of this foaf profile
(foaf:knows) which will lead to a rendering the friend data, on which you
can also click on one of its friends...

When rendering a friend, as we are in a SPA, the url remain
http://sub.rwwserver.io/profile
So if I want to bookmark or share the friend's page, I can't simply use the
browser current url.


If the rendered friend is part of the subdomain, with HTML5 history
pushState (or History.js) it is possible to modify the url and add an
history element.

So if the first user to render is
http://sub.rwwserver.io/profile1
And then we render its friend
http://sub.rwwserver.io/profile2
it is possible to change the current url to profile2 url without reloading
the page, even if the loaded page was profile1 url

But it's not possible to change the url without reloading if the url to set
is on another domain or subdomain. This is a security issue because if you
go to hacker.com, the site could change the url to yourbank.com and do some
fishing more easily.






So what is the solution to build modern JS RDF applications (SPA) and be
able to solve this deep linking problem?


We could probably change the url when the domain is the same, and redirect
to the new resource to render when the domain is different. That wouldn't
always redirect in many cases, particularly when the user navigate in its
own content for exemple.
But when dealing with stuff like navigating in social networks and foaf
profiles, it is very probable that the domain will often change between
users...







Js frameworks like Angular and Backbone usually use the url hash to perform
routing and solve this deep linking problem.

So I may be able to use something like that:
http://sub.rwwserver.io/profile#currentResource=http://otherrww.io/otherprofile
This way the url becomes bookmarkable and shareable, but the problem is
it's not really the true resource url that you share, and that many urls of
this kind (with hash) could point to the same resource url:
http://sub.rwwserver.io/someContent#currentResource=http://otherrww.io/otherprofile
http://test.rwwserver.io/#currentResource=http://otherrww.io/otherprofileThiskind
of defeat the original goal of an url I guess.

And if the first url is not available anymore, the link won't work, even if
the targeted resource is still available...



In addition, in my opinion, an user should be able to "choose" the
application he wants to open an RDF resource, as we can currently do in OS:
you can open .doc files with Word or OpenOffice, and have a default
prefered app. So many SPA could be used to render the same foaf profile.

If I choose app1 to render a profile, app1 may create a
#currentResource=url . and then I can send the link to someone.
But this other person may prefer to renderprofiles with app2, and maybe
app2 is not able to understand the hash semantics used by app1 for deep
linking, so it will render the original profile and not the profile in
#currentResource=url

This could eventually become a hacky standard for building RWW SPA, to use
the same hash semantics.
But another problem is ACL. If I share a link
originalResource#currentResource=url
then i have myself access to originalResource, but the other user may not
have access so the server won't load any SPA even if that other user have
access to the targeted resource

It could perhaps be done at the RWW server level (not sure, the url hash is
sent?) so that the server automatically redirect the client to the targeted
resource (without checking ACLs on the original) if it detects the
#currentResource=url fragment
But this doesn't solve:
- the RWW server could be down
- the url is ugly







Do you see any solution to this problem?


One solution could be to have some kind of equivalent of:
Access-Control-Allow-Origin: *
lke
Access-Control-Allow-History-PushState: *
implemented on browsers and added on RWW server responses, but it wouldn't
really prevent fishing because hacker.com could change the url to
http://rwwserver.io/myBankAccount and show credit card forms...
Maybe this can be used only on non-sensitive RDF resource url

What do you think?

Thanks
Received on Friday, 27 December 2013 21:15:52 UTC