IETF Logo Mail Archive

Re: [dispatch] [media-types] 3rd WGLC - draft-ietf-dispatch-javascript-mjs - deadline 10th May

Mathias Bynens <mths@google.com> Tue, 18 May 2021 11:40 UTC

Return-Path: <mathiasb@google.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 795A33A08C0 for <dispatch@ietfa.amsl.com>; Tue, 18 May 2021 04:40:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.099
X-Spam-Level:
X-Spam-Status: No, score=-17.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VOejhfgqsU1G for <dispatch@ietfa.amsl.com>; Tue, 18 May 2021 04:40:01 -0700 (PDT)
Received: from mail-yb1-xb35.google.com (mail-yb1-xb35.google.com [IPv6:2607:f8b0:4864:20::b35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B41D73A08D6 for <dispatch@ietf.org>; Tue, 18 May 2021 04:40:01 -0700 (PDT)
Received: by mail-yb1-xb35.google.com with SMTP id w1so1515368ybt.1 for <dispatch@ietf.org>; Tue, 18 May 2021 04:40:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=03RQaQr/P/5iYKZaGZ83GL6/JxAFrMEyNmSvxekjE1E=; b=HMfgtHjx7HoEmJ6JHt2QCyPGbrOH8n3q++X55gzIuqsmt6z6wMpkzFLTlQuDqibVxP q4soZjdTJJ3a3t4elR80K3flDME6PycIZhLvxypYw5y6IsPv8fw+WU33FS82UJOKqRIB TKH1hu2RAmclkhQjKJCkUcANVjBX2ixrxxsRMoSGIVO+aA7YYG7B+OglMtE60JvwT3Qt 1p6efHsj1MjasAwp9dTKYEYmuTDX1nSKCfReTJas1/Pqn3spL7r1v8R+vSIpPngDXNFX mSy0N10mytY8QZyYmFspdzl8cg4ZaX8kj4InA9/au5xdUgMTQ+5D6rM62hbh3ANVCWw7 oOtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=03RQaQr/P/5iYKZaGZ83GL6/JxAFrMEyNmSvxekjE1E=; b=rnPpi8qyqH52/0sfTGJJySag7luXJldc80Is3LqDNoHe+W3jg/ufDLWPfI+eQkVyeM 4HRCw7XTDihytMCs23ZH6Y4QCjCHRVdCa7nwElYvWLESoA2/WXP2IIP2HhQQrNPKdval TEBy7QXWqxEcwSr+TAmvFXB0BQrkdC2iuqq8pxwbKjpTXTC/Z7FWHXTjULZCaKH92kXE MwGAowBfBYIvjD22A3z2MT//P3wXAFrmCzHqDlmrRwj4dicabJsiN2E6v59h8UImZ1Ag miUth95sY0QJ4Pp7jNWA23J/h0U64RyJAgF0n4YsArEdldWT3JSljS4qYDZ0vxstxflk MHDw==
X-Gm-Message-State: AOAM530SdMFRLoIiytI8t5i58PsEUvXtVViwz2acuPxG3VwrymGBZ/TD KeAe9E+GWWuPNuTHB4X0gJz1ntisKaqwLXZVMhuQag==
X-Google-Smtp-Source: ABdhPJxYhqSJ0MZDcswttky7qc2rA2Fr/x/46mtsKAX++WnlW+KW7GhGvCvpJ/7sHqdMbsfqDy7l4gNsbASFm/nG2Xg=
X-Received: by 2002:a25:a4c8:: with SMTP id g66mr6473464ybi.301.1621337999936; Tue, 18 May 2021 04:39:59 -0700 (PDT)
MIME-Version: 1.0
References: <LO2P123MB3599980BA2B5A5ACA59ECF6FD7429@LO2P123MB3599.GBRP123.PROD.OUTLOOK.COM> <LO2P123MB3599BFA8AB75D6A890E97622D7419@LO2P123MB3599.GBRP123.PROD.OUTLOOK.COM> <CADizRgZjLEngAW4AoPWQsgVXK2pmTk76Ctk5jTp84BbyhNPoVw@mail.gmail.com> <CAEisK4+2ch5BoCEatZoNLzOMT3=qZnsFDShRYML51kLdrEpczw@mail.gmail.com> <CADizRgYF39JEFzADdtNSnWsJc7PN1zPvbP-PQLx8Om2AUEDjhg@mail.gmail.com> <05fa6f4f-ebcb-691c-8a02-69ba7a43c28b@oerc.ox.ac.uk>
In-Reply-To: <05fa6f4f-ebcb-691c-8a02-69ba7a43c28b@oerc.ox.ac.uk>
From: Mathias Bynens <mths@google.com>
Date: Tue, 18 May 2021 13:39:48 +0200
Message-ID: <CADizRgZwh0jztNVTw6+GS1GX=hqVvSXgbFQ-NppWCgoJ_DQuLA@mail.gmail.com>
To: Graham Klyne <Graham.Klyne@oerc.ox.ac.uk>
Cc: Myles Borins <mylesborins@github.com>, media-types@ietf.org, DISPATCH WG <dispatch@ietf.org>, "Matthew A. Miller" <linuxwolf+ietf@outer-planes.net>, Kirsty P <Kirsty.p@ncsc.gov.uk>
Content-Type: multipart/alternative; boundary="0000000000008c896705c2992ba7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/NNONpurQTw1T3KhST3kVgXXSyas>
Subject: Re: [dispatch] [media-types] 3rd WGLC - draft-ietf-dispatch-javascript-mjs - deadline 10th May
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 May 2021 11:40:08 -0000

Comment inline

On Tue, May 18, 2021 at 12:18 PM Graham Klyne <Graham.Klyne@oerc.ox.ac.uk>
wrote:

> I'm responding without knowledge of the history of this proposal, but
> recent
> experience with the node ecosystem leads me to a view that a common
> mechanism
> for distinguishing javascript modules is a Good Thing.  A couple of
> concerns
> occur to me:
>
> 1. I think that depending on the file extension to make the distinction
> between
> scrips and modules doesn't really sit well with usage on the Web if they
> are
> expected to be parsed differently.  I would have thought a different media
> type
> would be useful too (though it may be late to stop that horse from
> bolting).
>

I agree it would have been much nicer to have a separate media type for
modules, but I’m afraid that ship has sailed, as you suspected.

JavaScript modules being served as text/javascript is already Web Reality,
and we cannot change browsers to become more strict about which modules
they load/execute at this point without Breaking The Web, so it cannot
happen.

FWIW, your comments echo feedback we’ve received on the previous version,
and which we’ve tried to address in this revision by including specific
language around how this draft matches implementation reality:

```
   The definitions in this document reflect the current state of
   implementation across the JavaScript ecosystem, in web browsers and
   other environments such as Node.js alike, in order to guarantee
   backwards compatibility with existing applications as much as
   possible.
```

Does this address your concerns?


> 2. I couldn't understand the section on character encoding detection (sect
> 4.2),
> in particular this paragraph:
>
> [[
>         Implementations of this step MUST use these octet sequences to
>         determine the character encoding scheme, even if the determined
>         scheme is not supported.  If this step determines the character
>         encoding scheme, the octet sequence representing the Unicode
>         encoding form signature MUST be ignored when decoding the binary
>         source text.
> ]]
>
> I'm probably misunderstanding something here, but it seemed
> self-contradictory
> to me (if the unicode encoding signature is used to determine the
> encoding, it
> must be ignored...?)
>

Happy to clarify. This is about the Unicode Byte Order Mark (BOM), which
should be stripped from the file's contents before processing it. More info
here: https://en.wikipedia.org/wiki/Byte_order_mark (This is not specific
to this draft, or even to ECMAScript — it’s a general Unicode concept.)

Note that this language is not new to this draft; it's inherited
from RFC4329 which this document supersedes.


> 3. Security considerations for Javascript (or any scripting language on
> the web)
> is clearly a massive topic, which I don't think a "security
> considerations"
> section alone can adequately address.  I think many useful points are
> covered
> there, but I would have liked to also see references to other documents
> that
> discuss security models for scripting on the web (e.g.
> https://datatracker.ietf.org/doc/html/rfc2046#section-4.5.2,
> https://www.w3.org/Security/wiki/Cross_Site_Attacks,
> https://www.w3.org/TR/CSP2/, etc -- this list isn't intended to be
> exhaustive or
> even representative - just examples of other work in the area that might
> be
> cited), or at least a nod to the existence of other work that should be
> noted.
>

https://datatracker.ietf.org/doc/html/rfc2046#section-4.5.2 does not apply
to ECMAScript and seems out of scope for this draft.

Both https://www.w3.org/Security/wiki/Cross_Site_Attacks and
https://www.w3.org/TR/CSP2/ are specific to usage of ECMAScript *in web
browsers*, and are covered by:

```
   Uncontrolled execution of scripts can be exceedingly dangerous.
   Implementations that execute scripts MUST give consideration to their
   application's threat models and those of the individual features they
   implement; in particular, they MUST ensure that untrusted content is
   not executed in an unprotected environment.

   […]

   Specifications for host environment facilities and for derived
   programming languages should include security considerations.  If an
   implementation supports such facilities, the respective security
   considerations apply.  In particular, if scripts can be referenced
   from or included in specific document formats, the considerations for
   the embedding or referencing document format apply.
```

Furthermore, the “security considerations” section is explicitly “to be
understood as non-exhaustive and of a purely illustrative nature.”

Given the above, I'd prefer not resetting the process by creating another
draft revision just to add one or two non-normative example links.

What do you think?



> On 17/05/2021 10:21, Mathias Bynens wrote:
> > Sharing with media-types@ietf.org <mailto:media-types@ietf.org> as
> requested.
> > Please review and voice your support or concerns!
> >
> > On Tue, Apr 27, 2021 at 7:26 PM Myles Borins <mylesborins@github.com
> > <mailto:mylesborins@github.com>> wrote:
> >
> >     Disclaimer: I am one of the authors of the draft.
> >
> >     I would like to also express my support for this draft. It imho
> reflects
> >     ecosystem usage, for example there are currently over 6 million
> files with
> >     the .mjs extension on GitHub
> >     <https://github.com/search?l=&q=extension%3Amjs&type=code>.
> >
> >     The extension is supported in some mimetype collections and DBs,
> such as
> >     that of the python programming language
> >     <https://github.com/python/cpython/blob/master/Lib/mimetypes.py#L416>,
> but
> >     still hasn't been adopted by industry standard tools such as apache
> >     <
> http://apache-http-server.18135.x6.nabble.com/Bug-61383-New-mjs-files-should-be-part-of-mime-application-javascript-td5038697.html
> >.
> >     The lack of consistency here makes for poor developer experiences and
> >     inconsistent experiences across platforms + tools. This draft being
> accepted
> >     would be an extremely strong signal to let folks know that they can
> >     implement support for .mjs.
> >
> >     Separate from the new extension that will be supported the updated
> draft
> >     includes a number of additional improvements that reflect the current
> >     reality of the web. This includes making "text/javascript" COMMON
> rather
> >     than OBSOLETE and an update to the security considerations.
> >
> >     Thank you everyone for your time and considerations regarding
> this matter.
> >
> >     On Tue, Apr 27, 2021 at 10:17 AM Mathias Bynens <mths@google.com
> >     <mailto:mths@google.com>> wrote:
> >
> >         Disclaimer: I am one of the authors of this draft. Nevertheless,
> I
> >         would like to express my support and speak to the importance of
> its
> >         standardization.
> >
> >         The draft supersedes the earlier RFC4329, providing updated
> >         definitions to align with what has quickly become implementation
> >         reality, both in web browsers as well as other popular JavaScript
> >         environments such as Node.js.
> >
> >         Thanks,
> >         Mathias
> >
> >         On Tue, Apr 27, 2021 at 3:49 PM Kirsty P <Kirsty.p@ncsc.gov.uk
> >         <mailto:Kirsty.p@ncsc.gov.uk>> wrote:
> >          > ________________________________
> >          > From: Kirsty P
> >          > Sent: 26 April 2021 16:25
> >          > To: dispatch@ietf.org <mailto:dispatch@ietf.org> <
> dispatch@ietf.org
> >         <mailto:dispatch@ietf.org>>
> >          > Subject: 3rd WGLC - draft-ietf-dispatch-javascript-mjs -
> deadline
> >         10th May
> >          >
> >          > Hi DISPATCH,
> >          >
> >          > Summary: draft-ietf-dispatch-javascript-mjs is now ready for
> its 3rd
> >         WGLC (Working Group Last Call). Please send your comments and/or
> >         expressions of support to the DISPATCH list.
> >          >
> >          > Longer: the draft was recently updated to address feedback
> from a
> >         review and from the 2nd WGLC [1]. The authors posted an update
> to the
> >         list with more information [2]. We (DISPATCH chairs) feel like
> all the
> >         comments have been addressed, so it's time for 3rd WGLC.
> >          >
> >          > We need to hear positive noises and support for this draft
> from the
> >         WG before progressing the -08 draft, so please email to signal
> your
> >         endorsement, even if you have no comments to make. The draft can
> be
> >         found on datatracker here:
> >
> https://datatracker.ietf.org/doc/draft-ietf-dispatch-javascript-mjs/
> >         <
> https://datatracker.ietf.org/doc/draft-ietf-dispatch-javascript-mjs/>
> >          >
> >          > WGLC is open for 2 weeks - so will finish close-of-play on
> Monday
> >         10th May.
> >          >
> >          > Kirsty
> >          > (DISPATCH co-chair)
> >          >
> >          > [1]
> >
> https://mailarchive.ietf.org/arch/msg/dispatch/MOp48vAf_K4cjoS9XoFgxBUqXg0/
> >         <
> https://mailarchive.ietf.org/arch/msg/dispatch/MOp48vAf_K4cjoS9XoFgxBUqXg0/
> >
> >          > [2]
> >
> https://mailarchive.ietf.org/arch/msg/dispatch/TmuVIJS6Umh37oOhiIHv-5Mzkis/
> >         <
> https://mailarchive.ietf.org/arch/msg/dispatch/TmuVIJS6Umh37oOhiIHv-5Mzkis/
> >
> >          >
> >          >
> >          >
> >          > This information is exempt under the Freedom of Information
> Act 2000
> >         (FOIA) and may be exempt under other UK information legislation.
> Refer
> >         any FOIA queries to ncscinfoleg@ncsc.gov.uk
> >         <mailto:ncscinfoleg@ncsc.gov.uk>. All material is UK Crown
> Copyright ©
> >
> >
> > _______________________________________________
> > media-types mailing list
> > media-types@ietf.org
> > https://www.ietf.org/mailman/listinfo/media-types
> >
>
> --
> Graham Klyne
> mailto:graham.klyne@oerc.ox.ac.uk
> Skype/Twitter: @gklyne
>

v2.23.0 | Report a Bug | By Email