Along with supporting RDFa 1.1 I'm planning to add support for <link> and rel="" in our RDFa code.
To protect against injection of HTML rel values (including rel="stylesheet") I'm going to be converting all RDFa terms like "foo" to CURIEs like ":foo" (these are almost exactly the same, and the "edge case" shouldn't happen at all in RDFa 1.1).
((I really wanted to wrap everything except protocol whitelisted AbsIRIs in safe CURIEs making that "[rdf:type]" and "[:stylesheet]" but unfortunately it seems safe CURIEs are only valid in about and resource))
Anyone worried about the possibility that there's a badly written browser out there that'll treat <link rel=":stylesheet" href="..."> as a valid stylesheet and include it is welcome to try out any browser they can think of and bring it up. I've written a test case for it http://bl.ocks.org/dantman/5695980 if the bg there is red instead of blue then it's unsafe.
I've tested IE 6, IE 7, IE 8, IE 9, IE 10, Opera 10, Opera 12, Safari 5 (Windows), iOS 6's browser, Firefox 3.0, Firefox 21.0, Android 4's stock browser, and Chrome 27. They're all safe.
wikitech-l@lists.wikimedia.org