Draft: draft-hoehrmann-script-types-03.txt Reviewer: Black_David@emc.com Date: Monday 6/20/2005 6:12 PM CST Summary: This draft is basically ready for publication as an Informational RFC, but has nits that should be fixed before publication. Review comments: (1) While I have no objection to this being an Informational RFC, its use of MUST/SHOULD/MAY to specify implementation requirements for scripting reads like a Standards Track RFC, and so I wonder why it's not intended to be a Proposed Standard RFC. I've cc:'d Scott Hollenbeck (responsible APP AD) on the theory that he knows something about this that I don't. (2) I found one quibble in the Security Considerations section: A host environment can provide facilities to access external input, scripts that pass such input to the eval() function can be vulnerable to code injection attacks; scripts must protect against such attacks. Given that the script itself may be an external input, requiring the script to provide protection may put the fox in charge of guarding the henhouse (with apologies to Bjoern for my lack of knowledge the corresponding German idiom is for putting the thief in charge of guarding the jewels). There should be some mention of limiting the script's ability to access external input and/or execute it (e.g., limiting the script's access to a trusted environment or domain(s), or the domain from which the script was obtained, or even disabling eval() if the script accesses something that seems questionable if executed). (3) IANA seems to have figured out that the types to be registered are MIME media types but probably should be told how to indicate that the two text/ registrations are obsolete, or at least that it is important to mark these registrations as obsolete in the registry (unless the OBSOLETE intended usage field in the registration suffices, but marking the registry entry will be more effective). Thanks, --David ---------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 176 South St., Hopkinton, MA 01748 +1 (508) 293-7953 FAX: +1 (508) 293-7786 black_david@emc.com Mobile: +1 (978) 394-7754 ----------------------------------------------------