- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Wed, 18 Jul 2012 21:21:51 +0200
- To: Henry Story <henry.story@bblfish.net>
- Cc: WebID <public-webid@w3.org>, Read-Write-Web <public-rww@w3.org>
- Message-ID: <CAKaEYhJqAWo3r4=m6pKGhVcvYPS29Hf-ZS=1nkf3brqOkVa3MA@mail.gmail.com>
On 17 July 2012 11:13, Henry Story <henry.story@bblfish.net> wrote: > Hi, > > [I sent the following mail to the Linked Data Profile WG, to see if it > is something they are able to add to their topics of interest (that may > take some time, and so should not stop us looking into it too).] > > I think as mentioned previously LDP does require some form of > authentication, as it allows non-idempotent methods such as POST, PUT & > DELETE . This means that there will be some interesting things to think > about relating to CORS [1] > Good questions! PUT GET and DELETE are idempotent, POST is not. > > One application of an LDP server would be to have a javascript client > [2] be able to crawl RDF linked data in order to build up a user interface. > I have a really simple example that kind-of™ works. > > http://bblfish.github.com/rdflib.js/example/people/social_book.html > > The page contains no data just a reference to my foaf profile, which is > how it fills in the user info and the first column of the Social Book. If > you click on some users, such as "Joe Presbrey" the javascript will make an > XHR request to his WebID Profile http://presbrey.mit.edu/foaf, which > since it contains the right headers especially the > "Access-Control-Allow-Origin: *" > > $ curl -I http://presbrey.mit.edu/foaf > HTTP/1.1 200 OK > Date: Tue, 17 Jul 2012 08:35:03 GMT > Server: Apache > Access-Control-Allow-Origin: * > Last-Modified: Tue, 20 Dec 2011 01:02:36 GMT > ETag: "43c4058c-1437-4b47b9f740300" > Accept-Ranges: bytes > Content-Length: 5175 > Content-Type: application/rdf+xml > > the browser is authorised to pass that profile on for use by the > javascript that will display the info. Most linked data sites do not put > such headers up, and so make it necessary then to develop CORS proxies > (which that social_book application also uses). > > It may be worth exploring this side of things a bit. Perhaps adding to > the LDP Use Cases [3] a javascript based linked data browser could bring > these issues up in the LDP Working Group. > > Some questions that come up from my little experience in this area are: > - should all public RDF resources always return > Access-Control-Allow-Origin: * to all public resources? > ( I would tend to think so, because a simple proxy will always give > access to that resource anyway ) > - How does a server know which Origin JS agents to trust for a particular > user? Since we are are working in a linked data environment that at its > best spans many organisations how is the IBM linked data provider to know > that it should trust my bblfish.net JS Agent to get a particular resource > for me? > (my suggestions if I add :me cert:trustOrigin <https://bblfish.net> to > my WebID profile? ) > - what types of improvements to the identity of JS applications might in > the long term help develop better apps? ( perhaps having signed JS apps? ) > > Henry > > > [1] http://www.w3.org/TR/cors/ > [2] as done by Tabulator or the rdflib.js library published on github > https://github.com/linkeddata/ > [3] http://www.w3.org/2012/ldp/wiki/Use_Cases_And_Requirements > > Social Web Architect > http://bblfish.net/ > > >
Received on Wednesday, 18 July 2012 19:22:20 UTC