[secdir] Secdir review of draft-ietf-dispatch-javascript-mjs-10
Radia Perlman <radiaperlman@gmail.com> Fri, 12 November 2021 05:39 UTC
Return-Path: <radiaperlman@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96AD13A1250; Thu, 11 Nov 2021 21:39:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 32aI0_3hv9jz; Thu, 11 Nov 2021 21:39:00 -0800 (PST)
Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38E8D3A124F; Thu, 11 Nov 2021 21:38:57 -0800 (PST)
Received: by mail-io1-xd2c.google.com with SMTP id v65so9815963ioe.5; Thu, 11 Nov 2021 21:38:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=Bx9kmC/lsTO7WyVsXkjIiCqwmTqup2xPe2+OJqeqS6Q=; b=emln1Kkq9HRLIt0GTYbkt+Wz7aaiufyoC+HvD10PHW5yrVlbMsXjDX7slaZTQOzBcQ ow+odWVEjtGh2Z3Nnkr4MsdFi3y4vK74S0O3quNTEqwRSMKBU51D/tS7LYbrGcug6z9Y h0j+YmfmDBIUI/qYWNtjUVn+84m4X0AJXC1UsDDISmoS++41SylPebW5jGVu3ZPwNnWr eS3uSSOeXWzWl7nzUc6ov0nEeFdBf+SaV3XMrtssYcaHaZNJDLNOhCyaIbQz6Uum7Xsq zuftsfj8gkAwikypA8eGo16FBMHXcRRjcrMIsCM9S012i4QZF7Y1Qxx2FRlP019Y47f5 l4/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Bx9kmC/lsTO7WyVsXkjIiCqwmTqup2xPe2+OJqeqS6Q=; b=sPogtMcSACxGc1yBSf3g+O7WAoORXCmUUFeeo1MWvyFFdebFNqd0xBYo2b1X7uw/Ut K2oGPnrm9ixIUDgu7OWqN0wAYY9LFkxs632K/laKgM/HzN3k7x3SOAHhFke9nAFC0KUZ 1gpQhnxzp5LX+z17/KxCpUOyqYr2LjewRMh+U3KyardXlrwfzghcIe/nq1cO6edGbaZ/ ylJDBFRc5AlOJwfkym4sPg6uNe4oRyifUCE5SxsJIsm1LUQ3xm/CIM3i4PyGqg6JRFDO VITgK6R7gKQoChWn0hjdYUbEWheSznCzVuHlfLV7+1Yx6gdwEfVf3BxdXutEAb6kSssM HjRQ==
X-Gm-Message-State: AOAM530nZfMCuqQIRyNkDEk1hjtxxnTXT+Q/QV/f0Qaqwmou2eWI+a4g Fhl9RqsqJp/Dc6Kr5LWHC/8yy/DLzAjyv8vAIVcNGtT75XM=
X-Google-Smtp-Source: ABdhPJy7mbbXm/fFrKSF6OvT02F1T1kYQBYXGWdKRaLbj8H66FvX9yTdgGTSb7dgRTBKWiU2QqBjm1GRY2O8/WyDMa8=
X-Received: by 2002:a05:6638:11cb:: with SMTP id g11mr9248266jas.139.1636695535559; Thu, 11 Nov 2021 21:38:55 -0800 (PST)
MIME-Version: 1.0
From: Radia Perlman <radiaperlman@gmail.com>
Date: Thu, 11 Nov 2021 21:38:44 -0800
Message-ID: <CAFOuuo6F=h=ZVrhAzAqp3oD_RkxHy7FRLkCX2fix+aRKLbv9WQ@mail.gmail.com>
To: secdir@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-dispatch-javascript-mjs.all@ietf.org
Content-Type: multipart/alternative; boundary="00000000000000a87905d090e0aa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/cxNsPhC7GDW5nBrCAjA92zKiBhU>
Subject: [secdir] Secdir review of draft-ietf-dispatch-javascript-mjs-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Nov 2021 05:39:02 -0000
Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This INFORMATIONAL document is intended to replace RFC 4329 (also INFORMATIONAL), updated to reflect current practice. The biggest change appears to be recommending that javascript, when embedded in html, should use the tag “text/javascript” rather than “application/javascript” while acknowledging that the two should be considered to be synonyms (along with text/ecmascript, text/javascript1.0, text/javascript1.1, text/javascript1.2, text/javascript1.3, text/javascript1.4, text/javascript1.5, text/jscript, text/livescript, text/x-javascript, text/x-ecmascript, application/x-javascript, application/x-ecmascript, and application/ecmascript). Security considerations notes that embedding javascript in html is dangerous and implementers should take care to see nothing bad happens.
- [secdir] Secdir review of draft-ietf-dispatch-jav… Radia Perlman