Network Working Group B. Hoehrmann Internet-Draft September 21, 2001 Expires: March 22, 2002 JavaScript and ECMAScript Media Types Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on March 22, 2002. Copyright Notice Copyright (C) The Internet Society (2001). All Rights Reserved. Abstract JavaScript and ECMAScript are Scripting Languages commonly used on the World Wide Web for years, using various unregistered Media Types. This memo seeks to regularize that position by formally registering Media Types for these Scripting Languages. Hoehrmann Expires March 22, 2002 [Page 1] Internet-Draft JavaScript and ECMAScript Media Types September 2001 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 History and Standardization . . . . . . . . . . . . . . . . . 3 1.2 Implementations and Usage . . . . . . . . . . . . . . . . . . 3 1.3 Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions used in this document . . . . . . . . . . . . . . 4 3. The text/javascript Media Type . . . . . . . . . . . . . . . . 4 3.1 Notes on text/javascript . . . . . . . . . . . . . . . . . . . 4 3.2 Registration of text/javascript . . . . . . . . . . . . . . . 4 4. The application/javascript Media Type . . . . . . . . . . . . 5 4.1 Notes on application/javascript . . . . . . . . . . . . . . . 5 4.2 Registration of application/javascript . . . . . . . . . . . . 6 5. The text/ecmascript Media Type . . . . . . . . . . . . . . . . 7 5.1 Notes on text/ecmascript . . . . . . . . . . . . . . . . . . . 7 5.2 Registration of text/ecmascript . . . . . . . . . . . . . . . 7 6. Registration Details . . . . . . . . . . . . . . . . . . . . . 8 6.1 The charset parameter . . . . . . . . . . . . . . . . . . . . 8 6.2 The version parameter . . . . . . . . . . . . . . . . . . . . 8 6.3 Encoding Considerations . . . . . . . . . . . . . . . . . . . 8 6.4 Security Considerations . . . . . . . . . . . . . . . . . . . 8 6.5 Interoperability Considerations . . . . . . . . . . . . . . . 10 6.6 Published JavaScript specifications . . . . . . . . . . . . . 10 6.7 Published ECMAScript Specifications . . . . . . . . . . . . . 10 6.8 Accessibility Considerations . . . . . . . . . . . . . . . . . 10 7. Notes on Microsoft's JScript language . . . . . . . . . . . . 10 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 12 Full Copyright Statement . . . . . . . . . . . . . . . . . . . 13 Hoehrmann Expires March 22, 2002 [Page 2] Internet-Draft JavaScript and ECMAScript Media Types September 2001 1. Introduction 1.1 History and Standardization JavaScript is a cross-platform, object-based scripting language originally developed by Netscape Communications Corp. It is beeing used since 1995 on web pages on the World Wide Web and in various other environments. In 1997 JavaScript was formally standardized by TC 39 of the European Computer Manufacturers Association (ECMA) as ECMA-262 [ECMA-262] ("ECMAScript") and adopted by the International Standardization Organization (ISO) as ISO/IEC 16262:1998 [ISO16262] in April 1998. NOTE: JavaScript is a trademark of Sun Microsystems, Inc. It was originally called LiveScript. It has nothing to do with the Java Language. 1.2 Implementations and Usage Several web browsers support the ability to download programs with an HTML document and execute them within the browser. These programs are typically used to interact with the browser user and adding dynamic features to otherwise static content. The first implementation of JavaScript was the web browser Netscape Navigator 2.0 developed by Netscape Communications Corporation. But ECMAScript and JavaScript are by no means limited to browsers or client-side applications in general. For example, SVG 1.0 [SVG10] (an XML-based vector graphics format) requires Dynamic SVG Viewers to support ECMAScript to allow animation of and interaction with the graphic, and the Netscape Enterprise Server provides a means to use JavaScript on the server-side. Available Open Source implementations like SpiderMonkey () and Rhino () ease the usage of these scripting languages in other domains. 1.3 Rationale Many common Internet and World Wide Web protocols require the use of properly registered Media Types to identify the type of local or remote resources. Unfortunately no Media Types for JavaScript and ECMAScript were officially registered. As a result of this omission, private Media Types like application/x-javascript are used to identify these scripting languages. This memo seeks to regularize that position by formally registering Media Types for these Scripting Languages. While it may be ok for some people to use these private and/or unregistered Media Types, it isn't for others. Some organizations have strict policies towards standards, thus they may be unable to use these Scripting Languages at all. Hoehrmann Expires March 22, 2002 [Page 3] Internet-Draft JavaScript and ECMAScript Media Types September 2001 This memo does not introduce new Media Types, it just registers the Media Types used for several years now. It is not acceptable to break with common practice on million of web sites, thus there has been no chance to choose Media Types that would potentially be more appropriate. NOTE: The author of this memo is not affiliated with any of the companies and organizations mentioned in this document. 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] . 3. The text/javascript Media Type 3.1 Notes on text/javascript The Media Type text/javascript is being used for internal scripts in HTML documents and some external scripts. It should be used in favor to application/javascript where appropriate. ECMAScript scripts may be labeled with this Media Type if they are conforming to a given version of JavaScript. 3.2 Registration of text/javascript MIME media type name: text MIME subtype name: javascript Required parameters: none Optional parameters: charset See Section 6.1 of this document. version See Section 6.2 of this document. Encoding considerations: See Section 6.3 of this document. Security considerations: See Section 6.4 of this document. Hoehrmann Expires March 22, 2002 [Page 4] Internet-Draft JavaScript and ECMAScript Media Types September 2001 Interoperability considerations: See Section 6.5 of this document. Published specification: See Section 6.6 of this document. Applications which use this media type: See Section 1.2 of this document. Additional information: Magic number(s): none File extension(s): js Macintosh File Type Code(s): TEXT Person & email address to contact for further information: Bjoern Hoehrmann Intended usage: COMMON Author/Change controller: JavaScript is a work product of Netscape Communications Corporation. Netscape has change control over the JavaScript specification. 4. The application/javascript Media Type 4.1 Notes on application/javascript The private Media Type application/x-javascript has been used for external scripts linked from HTML documents. The leading web server software Apache (http://httpd.apache.org/) uses it as default type for files with the file name extension ".js". Some early implementations of JavaScript may require this Media Type to recognize JavaScript, but usage of text/javascript is preferred where compatibility to these implementations isn't required, thus the registration of application/javascript in this memo lists "LIMITED USE" as intended usage. Applications SHOULD support the "x-"-prefixed Media Type "application/x-javascript" as alias of application/javascript for compatibility reasons. ECMAScript scripts MAY be labeled with this Media Type if they are Hoehrmann Expires March 22, 2002 [Page 5] Internet-Draft JavaScript and ECMAScript Media Types September 2001 conforming to a given version of JavaScript. 4.2 Registration of application/javascript MIME media type name: application MIME subtype name: javascript Required parameters: none Optional parameters: charset See Section 6.1 of this document. version See Section 6.2 of this document. Encoding considerations: See Section 6.3 of this document. Security considerations: See Section 6.4 of this document. Interoperability considerations: See Section 6.5 of this document. Published specification: See Section 6.6 of this document. Applications which use this media type: See Section 1.2 of this document. Additional information: Magic number(s): none File extension(s): js Macintosh File Type Code(s): TEXT Person & email address to contact for further information: Bjoern Hoehrmann Intended usage: COMMON Author/Change controller: Hoehrmann Expires March 22, 2002 [Page 6] Internet-Draft JavaScript and ECMAScript Media Types September 2001 JavaScript is a work product of Netscape Communications Corporation. Netscape has change control over the JavaScript specification. 5. The text/ecmascript Media Type 5.1 Notes on text/ecmascript By the best of the author's knowledge, this Media Type has been introduced by the SVG [SVG10] specifications. It is beeing used there and defined as the default value for the 'contentScriptType' attribute of the 'svg' element. JavaScript scripts may be labeled with this Media Type if they are conforming to a given revision of ECMA-262. 5.2 Registration of text/ecmascript MIME media type name: text MIME subtype name: ecmascript Required parameters: none Optional parameters: charset See Section 6.1 of this document. version See Section 6.2 of this document. Encoding considerations: See Section 6.3 of this document. Security considerations: See Section 6.4 of this document. Interoperability considerations: See Section 6.5 of this document. Published specification: See Section 6.7 of this document. Applications which use this media type: Hoehrmann Expires March 22, 2002 [Page 7] Internet-Draft JavaScript and ECMAScript Media Types September 2001 See Section 1.2 of this document. Additional information: Magic number(s): none File extension(s): ecma, es Macintosh File Type Code(s): TEXT Person & email address to contact for further information: Bjoern Hoehrmann Intended usage: COMMON Author/Change controller: ECMAScript is a work product of Technical Committee 39 of the European Computer Manufacturers Association (ECMA). ECMA has change control over the ECMA-262 specification. 6. Registration Details 6.1 The charset parameter The optional parameter "charset" refers to the character encoding used to represent the ECMAScript respectively the JavaScript document as a sequence of bytes. Any registered IANA charset may be used, but UTF-8 is preferred. Although this parameter is optional, it is strongly recommended that it always be present. This memo doesn't define any default value for this parameter. 6.2 The version parameter The optional parameter "version" refers to the version of JavaScript respectively the revision of ECMA-262 the script is written in. This memo doesn't define any default value for this parameter. 6.3 Encoding Considerations For use with transports that are not 8-Bit clean, quoted-printable encoding is recommended since the majority of characters will be ECMAScript respectively JavaScript syntax and thus US-ASCII. 6.4 Security Considerations Programs written in JavaScript or ECMAScript, just like programs written in other languages, may contain malicious code. Since those Hoehrmann Expires March 22, 2002 [Page 8] Internet-Draft JavaScript and ECMAScript Media Types September 2001 scripts are normally executed without further notice to the user, care has to be taken by implementors in what those scripts are allowed to do in a given security context. In Web browsers, they are executed in the security context of the page with which they were downloaded, and they have restricted access to other resources within the browser. Early implementations of JavaScript had several security flaws. The book "JavaScript - The Definitive Guide" published by O'Reilly and Associates [JSGUIDE] says in chapter 1.5 (quoted with permission): "In Navigator 2, for example, it was possible to write JavaScript code that could automatically steal the email address of any visitor to the page containing the code. More worrisome was the related capability to send email in the visitor's name, without the visitor's knowledge or approval. This was done by defining an HTML form, with a mailto: URL as its ACTION attribute and using POST as the submission method. With this form defined, JavaScript code could then call the form object's submit() method when the page containing the form was first loaded. This automatically generated mail in the visitor's name to any desired address. The mail contained the visitor's email address, which could be stolen for use in Internet marketing, for example. Furthermore, by setting appropriate values within the form, this malicious JavaScript code could send a message in the user's name to any email address." CERT Advisory CA-1997-20 [CA-1997-20] gives information on further security flaws in those early implementations: "The CERT Coordination Center has received reports of a vulnerability in JavaScript that enables remote attackers to monitor a user's Web activities. The vulnerability affects several Web browsers that support JavaScript. The vulnerability can be exploited even if the browser is behind a firewall and even when users browse "secure" HTTPS-based documents." Fortunately, most known security issues within common implementations have been fixed in recent versions. However, these scripting languages are commonly used to manipulate the document object model of given documents, thus they can be used to hide information otherwise visible, for example by removing elements from the document tree. This feature also enables scripts to initiate transfers of arbitrary network resources, e.g. by setting the 'src' attribute of the HTML element 'img' to a new URI. Security considerations on these resources are subject to individual Hoehrmann Expires March 22, 2002 [Page 9] Internet-Draft JavaScript and ECMAScript Media Types September 2001 registered types. This also enables scripts to transfer information on e.g. the browser or the computing environment back to the server. Consider a browser providing access to information on the browser itself, the operating system, screen resolution, installed software, etc. These information could be transferred to the server by appending a string to the new URI, e.g. http://host/?os=Win95&browser=IE5. This affects users privacy and could be used to exploit vulnerabilities. 6.5 Interoperability Considerations JavaScript is used on million of web sites today and the scripts are running on different computer platforms and web browsers at least most of the time. The standardized sibling of JavaScript, ECMAScript, is meant to further improve interoperability and recently deployed implementations claim to be conforming to [ECMA-262] . Additionally, the World Wide Web Consortium (http://www.w3.org) standardized the Document Object Model (http://www.w3.org/DOM/) used in various web browsers and recently deployed web browsers claim to adhere to some Level of the Document Object Model. 6.6 Published JavaScript specifications As of time of publication of this document, the latest JavaScript version is 1.4, as formally specified in the Core JavaScript Reference [JS14] . 6.7 Published ECMAScript Specifications The latest specification for ECMAScript is ECMA-262, revision 3 [ECMA-262] published by the European Computer Manufacturers Association in December 1999. The former revision 2 has been adopted by ISO as ISO/IEC 16262:1998 [ISO16262] in April 1998. 6.8 Accessibility Considerations Authors using scripts in combination with (X)HTML documents are encouraged to follow the checkpoints and using the techniques summarized in the W3C Note "HTML Techniques for Web Content Accessibility Guidelines 1.0" [WCAGTECHS] section 12 to insure proper accessibility of their web pages. 7. Notes on Microsoft's JScript language This memo does not attempt to register a Media Type for Microsoft's ECMA-262 implementation called "JScript". JScript is not commonly identified by any MIME type, Microsoft rather uses a "language" attribute in host documents like the language attribute of the Hoehrmann Expires March 22, 2002 [Page 10] Internet-Draft JavaScript and ECMAScript Media Types September 2001 "script" element in HTML. Microsoft claims that JScript is with only a few minor exceptions a full implementation of the ECMA-262 standard, thus scripts that don't rely on these exceptions MAY be labeled with text/ecmascript. JScript scripts conforming to a given level of JavaScript MAY be labeled as text/javascript or application/javascript. For more information on Microsoft JScript, refer to . 8. Acknowledgments Thanks to Marshall T. Rose for providing RFC 2629 and the xml2rfc tool used to generate this memo. References [CA-1997-20] CERT Coordination Center, "CERT Advisory CA-1997-20 - "JavaScript Vulnerability"", July 1997, . [ECMA-262] European Computer Manufacturers Association, "ECMAScript Language Specification 3rd Edition", December 1999, . [ISO16262] International Organization for Standardization, "ECMAScript language specification", April 1998, . [JS14] Netscape Communications Corporation, "JavaScript 1.4 Core Reference Manual", October 1998, . [JSGUIDE] Flanagan, D., "JavaScript: The Definitive Guide, 3rd Edition", ISBN 1-56592-392-8, Published by O'Reilly & Associates, June 1998, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, . [SVG10] Ferraiolo, J., "Scalable Vector Graphics (SVG) 1.0 Specification", September 2001, . Hoehrmann Expires March 22, 2002 [Page 11] Internet-Draft JavaScript and ECMAScript Media Types September 2001 [WCAGTECHS] Chisholm, W., Vanderheiden, G. and I. Jacobs, "HTML Techniques for Web Content Accessibility Guidelines 1.0", November 2000, . Author's Address Bjoern Hoehrmann am Bededeich 7 D-25899 Dagebuell Germany Phone: tel:+49-4667-981028 EMail: bjoern@hoehrmann.de URI: http://bjoern.hoehrmann.de NOTE: Please write "Bjoern Hoehrmann" with o-umlaut (U+00F6) wherever possible, e.g. as "Björn Höhrmann" in HTML and XML. Hoehrmann Expires March 22, 2002 [Page 12] Internet-Draft JavaScript and ECMAScript Media Types September 2001 Full Copyright Statement Copyright (C) The Internet Society (2001). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Hoehrmann Expires March 22, 2002 [Page 13]