Re: [I18ndir] I18ndir early review of draft-ietf-dispatch-javascript-mjs-07

John C Klensin <john-ietf@jck.com> Sat, 09 May 2020 17:19 UTC

Return-Path: <john-ietf@jck.com>
X-Original-To: i18ndir@ietfa.amsl.com
Delivered-To: i18ndir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 409353A0CFE; Sat, 9 May 2020 10:19:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2GzO3heUn9Yy; Sat, 9 May 2020 10:19:51 -0700 (PDT)
Received: from bsa2.jck.com (bsa2.jck.com [70.88.254.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A24C3A0C7F; Sat, 9 May 2020 10:19:51 -0700 (PDT)
Received: from [198.252.137.10] (helo=PSB) by bsa2.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1jXT8b-0000Ir-Mr; Sat, 09 May 2020 13:19:45 -0400
Date: Sat, 09 May 2020 13:19:39 -0400
From: John C Klensin <john-ietf@jck.com>
To: John R Levine <johnl@taugh.com>, =?UTF-8?Q?Patrik_F=C3=A4ltstr=C3=B6m?= <patrik@frobbit.se>
cc: Myles Borins <mylesborins@google.com>, DISPATCH WG <dispatch@ietf.org>, draft-ietf-dispatch-javascript-mjs.all@ietf.org, i18ndir@ietf.org
Message-ID: <5BDA07C38DB9D03729015B9A@PSB>
In-Reply-To: <alpine.OSX.2.22.407.2005091233350.84818@ary.qy>
References: <158896904545.17044.5288882047334991439@ietfa.amsl.com> <CALaySJ+CRJumYtDCxvGsSwzanz4y=7icuqd+toc0wMivf-mJGg@mail.gmail.c om> <CAD7Fb3diej1-3fAgqZsS_E9wOs1KC=OwVWbvxV5mVjOdQEQm5g@mail.gmail.com> <alpine.OSX.2.22.407.2005081926580.81728@ary.qy> <C6B94276-EB9F-4A5B-9E1B-0DE170A05EBC@frobbit.se> <alpine.OSX.2.22.407.2005091233350.84818@ary.qy>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
X-SA-Exim-Connect-IP: 198.252.137.10
X-SA-Exim-Mail-From: john-ietf@jck.com
X-SA-Exim-Scanned: No (on bsa2.jck.com); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/i18ndir/71VaXsimhwTz90AP85U-en8viY0>
Subject: Re: [I18ndir] I18ndir early review of draft-ietf-dispatch-javascript-mjs-07
X-BeenThere: i18ndir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Internationalization Directorate <i18ndir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i18ndir>, <mailto:i18ndir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i18ndir/>
List-Post: <mailto:i18ndir@ietf.org>
List-Help: <mailto:i18ndir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i18ndir>, <mailto:i18ndir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 May 2020 17:19:54 -0000


--On Saturday, May 9, 2020 12:36 -0400 John R Levine
<johnl@taugh.com> wrote:

> On Sat, 9 May 2020, Patrik Fältström wrote:
>>> I'm sorry to hear that people are using filename extensions
>>> to tell what's in a file.  I'd hoped that all of the badness
>>> from old versions of Windows doing that might have been a
>>> hint.
>> 
>> This is something that just must go away, and I think a big
>> note in non-friendly letters must be added in the security
>> considerations section is needed that explain the situation
>> and why the current practice is not really what we want in
>> the wild.
>> 
>> I.e. yes, while still documenting "what works", that should
>> not be the goal. It will lead to even more problems getting
>> secure mechanisms in browsers deployed.
> 
> I agree with Patrik, this reinvents a security hole from the
> floppy disk era and is not something we should let pass
> without at least making it clear that we believe it is a
> significant mistake.
> 
> It occurs to me that http clients can send an Accept header,
> so how about saying that modules SHOULD be text/jsmodule, but
> MAY be text/javascript for backward compatibiltiy with clients
> that don't handle text/jsmodule?

And these kinds of suggestions (both of them) along with some
caveats about heuristics that will work well most of the time
but maybe not always, and some text that should be much more
obvious to someone reading quickly to figure out what to do
(even if they are clear to a very careful reader) identify, to
me, the main deficiencies in the current I-D.

   john