Attribution as links instead of markup #303
Comments
|
Regarding the second topic: Your concerns are valid, but I do not think that moving the attribution to the links is a solution.
I think that we probably should deprecate the use of any markup in the attribution field. The attribution requirements usually also have rules for printed material, often writing the full URI as text, which can lead to long and hard to read attributions, but I guess that is still the better option. So, I would leave the attribution as a string member that should be displayed as is. |
Yes, but there needs to be some kind of compromise between the data publishers and the developers of client applications (in the same way that there are compromises between the developers of different implementations). A specification like this already constrains the ways that data is published, and it shouldn't be a big deal to constrain (within reasonable limits) the way that the attribution is described. A use case I'm also interested in is logos/logotypes. e.g. when visiting https://explore.osmaps.com, a small image like I would go as far as suggesting a {
"id": "Mastermap",
"attribution": "Ordnance Survey"
"links": [
{ "title": "Ordnance Survey", "href": "https://www.ordnancesurvey.co.uk/", "rel": "attribution", "type": "text/html"},
{ "title": "Crown Copyright", "href": "https://www.ordnancesurvey.co.uk/business-government/licensing-agreements/copyright-acknowledgements", "rel": "license", "type": "text/html" },
{ "href": "https://explore.osmaps.com/images/logo/osmaps-logo-dark.svg", "rel": "logo", "type": "image/png" },
/* ...etc... */
],
}Maybe even a logo for dark backgrounds and another for light backgrounds (but suggest a maximum size, and let the graphic designers worry about margins and blurred backgrounds for contrast). But anything more complex than this, including any kind of markup, is too cumbersome for developing clients, IMO.
OK, I'll agree that requiring URIs for attribution is reasonable. I still think that moving the attribution to the links makes sense. I agree that the |
I'm writing this during the 2022-03-08/10 joint OGC+OSGeo sprint.
After doing a basic JS client implementation, I've become slightly concerned about the
attributionfield on both the list of collections, and the metadata of a collection:It is not clear whether
attributionbelongs to Part 1 (Core) or Part 2 (Geospatial Data). As I understand it, there can be anattributionfield in either/both the list of collections (part 1) or in the metadata of a specific collection (part 2)Therefore, it's not clear what the behaviour of a client should be - shall a client display attribution about the service, or only about the collections being displayed/used?
Allowing
attributiononly in part 2, or clarifying how the attribution in part 1 would be displayed would solve this concern.Allowing servers to use any kind of HTML markup in the
attributionfield might be problematic. I see three specific problems:<script>s, and tracking pixels, and parsing.In a best-case scenario, a OGC API server might push some invisible tracking pixels to clients (an image linking to an invisible 1x1 pixel). While good-intentioned, this opens a rabbit hole of cookies and EU GDPR concerns.
Another concern is clients with no means of parsing HTML and building a document model about it. Using a specific format of markup will force clients to include a parser for that markup language. A similar concern would arise if another markup language would be used, e.g. markdown.
The worst-case scenario would be an infosec attacker gaining a hold of a OGC API server, and changing the attribution field to include a
<script>reference. That would be an attack vector to inject malware in any clients. My concern is that there's no well-intentioned scenario where allowing<script>as part of attribution might be useful.In order to solve the second concern, I would like to suggest moving attribution to the links, e.g. instead of:
{ "id": "1234567890", "title": "Example Collection Description Response", "description": "This is an example of a Collection Description in JSON format", "attribution": "<a href='https://www.ign.es' rel=' '>IGN</a> <a href='https://www.govdata.de/dl-de/by-2-0'>(c)</a>",it might be better to add new
attributionandlicenserelationship roles:{ "id": "1234567890", "title": "Example Collection Description Response", "description": "This is an example of a Collection Description in JSON format", "links": [ { "href": "https://www.ign.es", "rel": "attribution", "type": "text/html", "title": "IGN" }, { "href": "https://creativecommons.org/licenses/by/4.0/", "rel": "license", "type": "text/html", "title": "CC-by 4.0" }, /* ...etc... */ ], }Multiple attribution is possible by having more than one link with the
attributionrelationship role. Clients then would be able to format those as needed (concatenate with commas, or display a list, etc etc).Attribution without actual links would be possible by having an empty
href.This might be against the spirit of #296 , but would provide a solution for #301 .
The text was updated successfully, but these errors were encountered: