msporny
commented
11 hours ago @iherman wrote:
I realize that this may complicate the processing steps from a security and efficiency point of view (regarding caching, integrity checking, etc). But this approach may lead to maintenance issues down the line.
Yes, that's the problem that was raised as a "security concern" a year or more ago, that imported contexts might be loaded from the network or trigger "extra processing" that "might be dangerous". All of that was analyzed as FUD -- if you cache contexts permanently and never load them from the network, then this isn't an issue. That said, people will still complain about "the complexity of not knowing what is being imported", which again is FUD, but it's easier to just repeat the declarations than import them (and have to deal w/ the FUD).
There are two benefits in including all content in the context file:
- A human analyzing it to ensure it has what you think it has is easier, and
- There is a slight performance boost by having everything local (though, it's negligible)
To put it another way, if we imported contexts, I expect that we'd see objections (again).
iherman
This PR is an attempt to address issue #859 and #850 by adding a v1.1 JSON-LD Context and updating all examples in the specification to use the new context URL.
Preview | Diff