Using RDF in XUL

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Using RDF in XUL

Uldis Bojars
Hi, All!

It is nice to see that Mozilla has native support for RDF and hence XUL
applications can process data represented in RDF w/o need for external
libraries.

However, when experimenting with RDF in XUL, couple of issues /
questions arise.

1) Debugging RDF processing (and XUL applications in general)

Is there a way to get Mozilla report if and what errors it has
encountered while processing RDF or executing a XUL app? Even with a
very simple application it is confusing when XUL does not process a
valid RDF file and there are no messages in the JavaScript console (or
elsewhere) detailing why or even if that there was an error.

E.g., in a browse.xul [1] I am getting incosistent results when one and
the same local RDF file is getting read ok in one occasion, but is not
processed at a different moment in time. With the lack of diagnostic
messages it creates an impression that RDF processing in Mozilla can't
be trusted, which I hope is not true.

[1] http://sw.deri.org/~uldis/2006/05/flies/browse.xul
you can try to enter 'cs-foaf.rdf' or
'http://sw.deri.org/~uldis/2006/05/cs.rdf' and see if how works. both
files are valid rdf.

2) Remote RDF and security model

Next obstacle is that XUL applications would not process remote RDF
files - unless the application is in chrome://. But since I am looking
at remote applications that is not an option.

What is the rationale for denying access to RDF located remotely? While
it can probably be motivated by the security concerns, RDF is mainly
data and many applications need to access data from remote sources.
(e.g, RSS readers would be useless w/o access to remote RSS feeds)

More importantly - is remote RDF support (for remote XUL applications)
planned in Mozilla in the future and how can this restriction be worked
around today? It looks like providing a local proxy for remote RDF
files is one of the best solutions, but there may be other.

3) Parsing RDF and rdf:nodeID(s)

Does Mozilla RDF parser "understand" rdf:nodeID ?

In theory both of the following RDF data snippets mean that this
foaf:Person is a part of rdf:Bag. But if I populate a widget with data
from this rdf:Bag, then the items linked using rdf:nodeID do not appear
in the list.

nodeid.rdf:
<foaf:Person rdf:nodeID="p1">
...
</foaf:Person>
<rdf:Bag>
   <rdf:li rdf:nodeID="p1"/>
</rdf:Bag>

resource.rdf:
<foaf:Person rdf:about="#p1">
...
</foaf:Person>
<rdf:Bag>
   <rdf:li rdf:resource="#p1"/>
</rdf:Bag>

P.S. Is there an utility that can "dump" all the triples that result
from parsing a RDF datasource? That would help debugging.

Best,
Uldis

[ http://captsolo.net/info/ ]

_______________________________________________
dev-tech-rdf mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-rdf
Reply | Threaded
Open this post in threaded view
|

Re: Using RDF in XUL

Axel Hecht-2
Uldis Bojars wrote:

> Hi, All!
>
> It is nice to see that Mozilla has native support for RDF and hence XUL
> applications can process data represented in RDF w/o need for external
> libraries.
>
> However, when experimenting with RDF in XUL, couple of issues /
> questions arise.
>
> 1) Debugging RDF processing (and XUL applications in general)
>
> Is there a way to get Mozilla report if and what errors it has
> encountered while processing RDF or executing a XUL app? Even with a
> very simple application it is confusing when XUL does not process a
> valid RDF file and there are no messages in the JavaScript console (or
> elsewhere) detailing why or even if that there was an error.
>
> E.g., in a browse.xul [1] I am getting incosistent results when one and
> the same local RDF file is getting read ok in one occasion, but is not
> processed at a different moment in time. With the lack of diagnostic
> messages it creates an impression that RDF processing in Mozilla can't
> be trusted, which I hope is not true.
>
> [1] http://sw.deri.org/~uldis/2006/05/flies/browse.xul
> you can try to enter 'cs-foaf.rdf' or
> 'http://sw.deri.org/~uldis/2006/05/cs.rdf' and see if how works. both
> files are valid rdf.
>

There is no debugging assistance anywhere in RDF or Templates.

> 2) Remote RDF and security model
>
> Next obstacle is that XUL applications would not process remote RDF
> files - unless the application is in chrome://. But since I am looking
> at remote applications that is not an option.
>
> What is the rationale for denying access to RDF located remotely? While
> it can probably be motivated by the security concerns, RDF is mainly
> data and many applications need to access data from remote sources.
> (e.g, RSS readers would be useless w/o access to remote RSS feeds)
>
> More importantly - is remote RDF support (for remote XUL applications)
> planned in Mozilla in the future and how can this restriction be worked
> around today? It looks like providing a local proxy for remote RDF
> files is one of the best solutions, but there may be other.
>

Any cross-site access is firewall tunneling, and any fileformat that is
likely to contain confidential information is forbidden, and RDF is a
really good candidate here.
If you can proxy the data from your server, the firewall issue is done
with and that's why you can do that.

> 3) Parsing RDF and rdf:nodeID(s)
>
> Does Mozilla RDF parser "understand" rdf:nodeID ?
>
> In theory both of the following RDF data snippets mean that this
> foaf:Person is a part of rdf:Bag. But if I populate a widget with data
> from this rdf:Bag, then the items linked using rdf:nodeID do not appear
> in the list.
>
> nodeid.rdf:
> <foaf:Person rdf:nodeID="p1">
> ...
> </foaf:Person>
> <rdf:Bag>
>    <rdf:li rdf:nodeID="p1"/>
> </rdf:Bag>
>
> resource.rdf:
> <foaf:Person rdf:about="#p1">
> ...
> </foaf:Person>
> <rdf:Bag>
>    <rdf:li rdf:resource="#p1"/>
> </rdf:Bag>

https://bugzilla.mozilla.org/show_bug.cgi?id=232623, will be fixed in
Firefox 2.

>
> P.S. Is there an utility that can "dump" all the triples that result
> from parsing a RDF datasource? That would help debugging.
>

Iff you're working on an RDF/XML datasource, you can use the sample at
http://lxr.mozilla.org/mozilla/source/rdf/tests/triplescat/, but that
(and the in-mem) is the only datasource that actually implements the
interface required for that code. That's work without much progress.

Axel
_______________________________________________
dev-tech-rdf mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-rdf
Reply | Threaded
Open this post in threaded view
|

Re: Using RDF in XUL

James Ross
Axel Hecht wrote:
> There is no debugging assistance anywhere in RDF or Templates.

Not entirely true; there is some information available in NSPR logging
in debug builds. Mind you, it's probably been removed in the new
bizaro-world templating replacement. It did exist, though.

--
James Ross <[hidden email]>
ChatZilla Developer
_______________________________________________
dev-tech-rdf mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-rdf
Reply | Threaded
Open this post in threaded view
|

Re: Using RDF in XUL

Uldis Bojars
In reply to this post by Axel Hecht-2
Axel Hecht wrote:

> > 2) Remote RDF and security model
> Any cross-site access is firewall tunneling, and any fileformat that is
> likely to contain confidential information is forbidden, and RDF is a
> really good candidate here.
> If you can proxy the data from your server, the firewall issue is done
> with and that's why you can do that.

When Mozilla is parsing RDF - is it possible to specify the base URI to
be used when converting relative RDF IDs to URIs ?

This is important when parsing RDF from a location other than it's
original location (e.g., if parsing a file saved locally or using a
proxy to process remote RDF).

Most RDF toolkits provide a way to specify the base URI:
[Jena]
http://jena.sourceforge.net/javadoc/com/hp/hpl/jena/rdf/model/Model.html#read(java.io.InputStream,%20java.lang.String)
[Redland] http://librdf.org/docs/pydoc/RDF.html#Parser-parse_as_stream

Thanks,
Uldis

[ http://captsolo.net/info/ ]

_______________________________________________
dev-tech-rdf mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-rdf
Reply | Threaded
Open this post in threaded view
|

Re: Using RDF in XUL

Peter Van der Beken
In reply to this post by James Ross
James Ross wrote:
> Not entirely true; there is some information available in NSPR logging
> in debug builds. Mind you, it's probably been removed in the new
> bizaro-world templating replacement. It did exist, though.

https://bugzilla.mozilla.org/attachment.cgi?id=211413 shows no
significant removal of logging, and some additional logging in new code.
Then again, why check, spreading unsubstantiated rumors is more fun.

Peter
_______________________________________________
dev-tech-rdf mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-rdf
Reply | Threaded
Open this post in threaded view
|

Re: Using RDF in XUL

Axel Hecht
In reply to this post by Uldis Bojars
Uldis Bojars wrote:

> Axel Hecht wrote:
>
>>> 2) Remote RDF and security model
>> Any cross-site access is firewall tunneling, and any fileformat that is
>> likely to contain confidential information is forbidden, and RDF is a
>> really good candidate here.
>> If you can proxy the data from your server, the firewall issue is done
>> with and that's why you can do that.
>
> When Mozilla is parsing RDF - is it possible to specify the base URI to
> be used when converting relative RDF IDs to URIs ?
>
> This is important when parsing RDF from a location other than it's
> original location (e.g., if parsing a file saved locally or using a
> proxy to process remote RDF).
>
> Most RDF toolkits provide a way to specify the base URI:
> [Jena]
> http://jena.sourceforge.net/javadoc/com/hp/hpl/jena/rdf/model/Model.html#read(java.io.InputStream,%20java.lang.String)
> [Redland] http://librdf.org/docs/pydoc/RDF.html#Parser-parse_as_stream

That would open holes, and I'm not really sure that it's generally a
good idea with my RDF hat on. Those libs likely provide those APIs to
support other protocols rather than to reroot RDF data (or whatever you
want to call that).

Axel
_______________________________________________
dev-tech-rdf mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-rdf
Reply | Threaded
Open this post in threaded view
|

Re: Using RDF in XUL

Uldis Bojars

Axel Hecht wrote:

> >> Any cross-site access is firewall tunneling, and any fileformat that is
> >> likely to contain confidential information is forbidden, and RDF is a
> >> really good candidate here.

Coming back to this claim - is it really true?

The remote XUL is executed on the browser and hence, assuming the
sensitive data are somewhere in the intranet that is not accessible
from outside, I see no way how a browser could tunnel through the
firewall and steal confidential information.

In fact, what really creates security risks is this proxy workaround
which creates a real danger that someone will be able to use it to
access confidential RDF located behind the firewall. If XUL
applications could access RDF from other remote sources, there'd be no
need for such workarounds.

I am asking this because the data integration from different
(distributed) data sources is one of the main use cases for RDF.

> > When Mozilla is parsing RDF - is it possible to specify the base URI to
> > be used when converting relative RDF IDs to URIs ?
>
> That would open holes, and I'm not really sure that it's generally a
> good idea with my RDF hat on. Those libs likely provide those APIs to
> support other protocols rather than to reroot RDF data (or whatever you
> want to call that).

Could you give an example of holes it'd open?
I do not see holes when looking from RDF point of view.
If it is Mozilla specific, please elaborate.

Generally, RDF libs allow to supply base URI precisely for this reason
- to convert relative URIs to absolute URIs when parsing RDF/XML.
That's the only purpose. If two major libraries do this, there must be
a reason.

A common scenario is if you have crawled RDF/XML files and saved those
on the disk. When parsing RDF/XML the parser will not know the original
URL of RDF/XML files unless it is told what it was. The scenario with
proxy is similar to saving files to disk in the sense that the location
of files gets changed and information about the original location is
lost to the parser.

Possibly a reason why Mozilla has not had to worry about keeping
relative URIs pointing to the original location is because it is
difficult to use remote RDF in remote Mozilla apps and hence nobody
used it for purposes such as aggregation of remote RDF data.

Uldis

[ http://captsolo.net/info/ ]

_______________________________________________
dev-tech-rdf mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-rdf
Reply | Threaded
Open this post in threaded view
|

Re: Using RDF in XUL

Neil Deakin
[hidden email] wrote:

> Axel Hecht wrote:
>
>>>> Any cross-site access is firewall tunneling, and any fileformat that is
>>>> likely to contain confidential information is forbidden, and RDF is a
>>>> really good candidate here.
>
> Coming back to this claim - is it really true?
>
> The remote XUL is executed on the browser and hence, assuming the
> sensitive data are somewhere in the intranet that is not accessible
> from outside, I see no way how a browser could tunnel through the
> firewall and steal confidential information.
>

If cross-site access was allowed, a remote web site running in a browser
would be able to request an intranet url and receive back possibly
sensitive data.

>
> Generally, RDF libs allow to supply base URI precisely for this reason
> - to convert relative URIs to absolute URIs when parsing RDF/XML.
> That's the only purpose. If two major libraries do this, there must be
> a reason.
>

You can use nsIRDFXMLParser to parse RDF with a base URL.

/ Neil
_______________________________________________
dev-tech-rdf mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-rdf
Reply | Threaded
Open this post in threaded view
|

Re: Using RDF in XUL

Axel Hecht-2
In reply to this post by Uldis Bojars
[hidden email] wrote:

> Axel Hecht wrote:
>
>>>> Any cross-site access is firewall tunneling, and any fileformat that is
>>>> likely to contain confidential information is forbidden, and RDF is a
>>>> really good candidate here.
>
> Coming back to this claim - is it really true?
>
> The remote XUL is executed on the browser and hence, assuming the
> sensitive data are somewhere in the intranet that is not accessible
> from outside, I see no way how a browser could tunnel through the
> firewall and steal confidential information.
>
> In fact, what really creates security risks is this proxy workaround
> which creates a real danger that someone will be able to use it to
> access confidential RDF located behind the firewall. If XUL
> applications could access RDF from other remote sources, there'd be no
> need for such workarounds.
>

This is totally wrong. Think from scratch, draw a picture. Webserver 1
with the RDF web app in the wild, user and server2 behind a single firewall.

> I am asking this because the data integration from different
> (distributed) data sources is one of the main use cases for RDF.
>
>>> When Mozilla is parsing RDF - is it possible to specify the base URI to
>>> be used when converting relative RDF IDs to URIs ?
>> That would open holes, and I'm not really sure that it's generally a
>> good idea with my RDF hat on. Those libs likely provide those APIs to
>> support other protocols rather than to reroot RDF data (or whatever you
>> want to call that).
>
> Could you give an example of holes it'd open?
> I do not see holes when looking from RDF point of view.
> If it is Mozilla specific, please elaborate.
>
> Generally, RDF libs allow to supply base URI precisely for this reason
> - to convert relative URIs to absolute URIs when parsing RDF/XML.
> That's the only purpose. If two major libraries do this, there must be
> a reason.
>
> A common scenario is if you have crawled RDF/XML files and saved those
> on the disk. When parsing RDF/XML the parser will not know the original
> URL of RDF/XML files unless it is told what it was. The scenario with
> proxy is similar to saving files to disk in the sense that the location
> of files gets changed and information about the original location is
> lost to the parser.

Why would a browser engine allow a webapp to save a file to disk?

This is really only because you don't serialize the graph to a new
location, but move an RDF/XML file from here to there. Expecting it to
mean the same thing in the new location is just wrong.

Why libraries expose a method to specify a content stream and a base URL
is just to hook up to the IO libraries (and your examples show that). Of
course you can use that to reroot trees you grabbed from somewhere, but
really you should parse the RDF/XML from the remote site, and serialize
to to where you want it on disk in an application. Then all resources
would have the right name.

> Possibly a reason why Mozilla has not had to worry about keeping
> relative URIs pointing to the original location is because it is
> difficult to use remote RDF in remote Mozilla apps and hence nobody
> used it for purposes such as aggregation of remote RDF data.
>
> Uldis
>

This is all about permissions in a browser environment, you can't just
expect a normal app environment here.

Axel
_______________________________________________
dev-tech-rdf mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-rdf
Reply | Threaded
Open this post in threaded view
|

Re: Using RDF in XUL

Loïc Fejoz
Axel Hecht a écrit :
> [hidden email] wrote:
>> Axel Hecht wrote:
>>
>>>>> [...]
>
> Why would a browser engine allow a webapp to save a file to disk?

For partially connected application!

> This is really only because you don't serialize the graph to a new
> location, but move an RDF/XML file from here to there. Expecting it to
> mean the same thing in the new location is just wrong.

What about cache?

> Why libraries expose a method to specify a content stream and a base URL
> is just to hook up to the IO libraries (and your examples show that). Of
> course you can use that to reroot trees you grabbed from somewhere, but
> really you should parse the RDF/XML from the remote site, and serialize
> to to where you want it on disk in an application. Then all resources
> would have the right name.

Correct. So the answer is that it should have buit-in component to do
that...

>> [...]

--
Yermat
_______________________________________________
dev-tech-rdf mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-rdf