Re: [I18ndir] I18ndir early review of draft-ietf-dispatch-javascript-mjs-07

[John C Klensin <john-ietf@jck.com>]

--On Saturday, May 9, 2020 12:36 -0400 John R Levine
<johnl@taugh.com> wrote:

> On Sat, 9 May 2020, Patrik Fältström wrote:
>>> I'm sorry to hear that people are using filename extensions
>>> to tell what's in a file.  I'd hoped that all of the badness
>>> from old versions of Windows doing that might have been a
>>> hint.
>> 
>> This is something that just must go away, and I think a big
>> note in non-friendly letters must be added in the security
>> considerations section is needed that explain the situation
>> and why the current practice is not really what we want in
>> the wild.
>> 
>> I.e. yes, while still documenting "what works", that should
>> not be the goal. It will lead to even more problems getting
>> secure mechanisms in browsers deployed.
> 
> I agree with Patrik, this reinvents a security hole from the
> floppy disk era and is not something we should let pass
> without at least making it clear that we believe it is a
> significant mistake.
> 
> It occurs to me that http clients can send an Accept header,
> so how about saying that modules SHOULD be text/jsmodule, but
> MAY be text/javascript for backward compatibiltiy with clients
> that don't handle text/jsmodule?

And these kinds of suggestions (both of them) along with some
caveats about heuristics that will work well most of the time
but maybe not always, and some text that should be much more
obvious to someone reading quickly to figure out what to do
(even if they are clear to a very careful reader) identify, to
me, the main deficiencies in the current I-D.

   john