Re: [dispatch] [media-types] 3rd WGLC - draft-ietf-dispatch-javascript-mjs - deadline 10th May

[Graham Klyne <Graham.Klyne@oerc.ox.ac.uk>]

I'm responding without knowledge of the history of this proposal, but recent 
experience with the node ecosystem leads me to a view that a common mechanism 
for distinguishing javascript modules is a Good Thing.  A couple of concerns 
occur to me:

1. I think that depending on the file extension to make the distinction between 
scrips and modules doesn't really sit well with usage on the Web if they are 
expected to be parsed differently.  I would have thought a different media type 
would be useful too (though it may be late to stop that horse from bolting).


I note the draft is about much more than the .js/.mjs distinction... a couple of 
other thoughts that struck me...


2. I couldn't understand the section on character encoding detection (sect 4.2), 
in particular this paragraph:

[[
        Implementations of this step MUST use these octet sequences to
        determine the character encoding scheme, even if the determined
        scheme is not supported.  If this step determines the character
        encoding scheme, the octet sequence representing the Unicode
        encoding form signature MUST be ignored when decoding the binary
        source text.
]]

I'm probably misunderstanding something here, but it seemed self-contradictory 
to me (if the unicode encoding signature is used to determine the encoding, it 
must be ignored...?)


3. Security considerations for Javascript (or any scripting language on the web) 
is clearly a massive topic, which I don't think a "security considerations" 
section alone can adequately address.  I think many useful points are covered 
there, but I would have liked to also see references to other documents that 
discuss security models for scripting on the web (e.g. 
https://datatracker.ietf.org/doc/html/rfc2046#section-4.5.2, 
https://www.w3.org/Security/wiki/Cross_Site_Attacks, 
https://www.w3.org/TR/CSP2/, etc -- this list isn't intended to be exhaustive or 
even representative - just examples of other work in the area that might be 
cited), or at least a nod to the existence of other work that should be noted.

#g
--


On 17/05/2021 10:21, Mathias Bynens wrote:
> Sharing with media-types@ietf.org <mailto:media-types@ietf.org> as requested. 
> Please review and voice your support or concerns!
> 
> On Tue, Apr 27, 2021 at 7:26 PM Myles Borins <mylesborins@github.com 
> <mailto:mylesborins@github.com>> wrote:
> 
>     Disclaimer: I am one of the authors of the draft.
> 
>     I would like to also express my support for this draft. It imho reflects
>     ecosystem usage, for example there are currently over 6 million files with
>     the .mjs extension on GitHub
>     <https://github.com/search?l=&q=extension%3Amjs&type=code>.
> 
>     The extension is supported in some mimetype collections and DBs, such as
>     that of the python programming language
>     <https://github.com/python/cpython/blob/master/Lib/mimetypes.py#L416>, but
>     still hasn't been adopted by industry standard tools such as apache
>     <http://apache-http-server.18135.x6.nabble.com/Bug-61383-New-mjs-files-should-be-part-of-mime-application-javascript-td5038697.html>.
>     The lack of consistency here makes for poor developer experiences and
>     inconsistent experiences across platforms + tools. This draft being accepted
>     would be an extremely strong signal to let folks know that they can
>     implement support for .mjs.
> 
>     Separate from the new extension that will be supported the updated draft
>     includes a number of additional improvements that reflect the current
>     reality of the web. This includes making "text/javascript" COMMON rather
>     than OBSOLETE and an update to the security considerations.
> 
>     Thank you everyone for your time and considerations regarding this matter.
> 
>     On Tue, Apr 27, 2021 at 10:17 AM Mathias Bynens <mths@google.com
>     <mailto:mths@google.com>> wrote:
> 
>         Disclaimer: I am one of the authors of this draft. Nevertheless, I
>         would like to express my support and speak to the importance of its
>         standardization.
> 
>         The draft supersedes the earlier RFC4329, providing updated
>         definitions to align with what has quickly become implementation
>         reality, both in web browsers as well as other popular JavaScript
>         environments such as Node.js.
> 
>         Thanks,
>         Mathias
> 
>         On Tue, Apr 27, 2021 at 3:49 PM Kirsty P <Kirsty.p@ncsc.gov.uk
>         <mailto:Kirsty.p@ncsc.gov.uk>> wrote:
>          > ________________________________
>          > From: Kirsty P
>          > Sent: 26 April 2021 16:25
>          > To: dispatch@ietf.org <mailto:dispatch@ietf.org> <dispatch@ietf.org
>         <mailto:dispatch@ietf.org>>
>          > Subject: 3rd WGLC - draft-ietf-dispatch-javascript-mjs - deadline
>         10th May
>          >
>          > Hi DISPATCH,
>          >
>          > Summary: draft-ietf-dispatch-javascript-mjs is now ready for its 3rd
>         WGLC (Working Group Last Call). Please send your comments and/or
>         expressions of support to the DISPATCH list.
>          >
>          > Longer: the draft was recently updated to address feedback from a
>         review and from the 2nd WGLC [1]. The authors posted an update to the
>         list with more information [2]. We (DISPATCH chairs) feel like all the
>         comments have been addressed, so it's time for 3rd WGLC.
>          >
>          > We need to hear positive noises and support for this draft from the
>         WG before progressing the -08 draft, so please email to signal your
>         endorsement, even if you have no comments to make. The draft can be
>         found on datatracker here:
>         https://datatracker.ietf.org/doc/draft-ietf-dispatch-javascript-mjs/
>         <https://datatracker.ietf.org/doc/draft-ietf-dispatch-javascript-mjs/>
>          >
>          > WGLC is open for 2 weeks - so will finish close-of-play on Monday
>         10th May.
>          >
>          > Kirsty
>          > (DISPATCH co-chair)
>          >
>          > [1]
>         https://mailarchive.ietf.org/arch/msg/dispatch/MOp48vAf_K4cjoS9XoFgxBUqXg0/
>         <https://mailarchive.ietf.org/arch/msg/dispatch/MOp48vAf_K4cjoS9XoFgxBUqXg0/>
>          > [2]
>         https://mailarchive.ietf.org/arch/msg/dispatch/TmuVIJS6Umh37oOhiIHv-5Mzkis/
>         <https://mailarchive.ietf.org/arch/msg/dispatch/TmuVIJS6Umh37oOhiIHv-5Mzkis/>
>          >
>          >
>          >
>          > This information is exempt under the Freedom of Information Act 2000
>         (FOIA) and may be exempt under other UK information legislation. Refer
>         any FOIA queries to ncscinfoleg@ncsc.gov.uk
>         <mailto:ncscinfoleg@ncsc.gov.uk>. All material is UK Crown Copyright ©
> 
> 
> _______________________________________________
> media-types mailing list
> media-types@ietf.org
> https://www.ietf.org/mailman/listinfo/media-types
> 

-- 
Graham Klyne
mailto:graham.klyne@oerc.ox.ac.uk
Skype/Twitter: @gklyne