Network Working Group B. Hoehrmann
Internet-Draft September 21, 2001
Expires: March 22, 2002
JavaScript and ECMAScript Media Types
<draft-hoehrmann-script-types-00.txt>
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 22, 2002.
Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract
JavaScript and ECMAScript are Scripting Languages commonly used on
the World Wide Web for years, using various unregistered Media Types.
This memo seeks to regularize that position by formally registering
Media Types for these Scripting Languages.
Hoehrmann Expires March 22, 2002 [Page 1]
Internet-Draft JavaScript and ECMAScript Media Types September 2001
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 History and Standardization . . . . . . . . . . . . . . . . . 3
1.2 Implementations and Usage . . . . . . . . . . . . . . . . . . 3
1.3 Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions used in this document . . . . . . . . . . . . . . 4
3. The text/javascript Media Type . . . . . . . . . . . . . . . . 4
3.1 Notes on text/javascript . . . . . . . . . . . . . . . . . . . 4
3.2 Registration of text/javascript . . . . . . . . . . . . . . . 4
4. The application/javascript Media Type . . . . . . . . . . . . 5
4.1 Notes on application/javascript . . . . . . . . . . . . . . . 5
4.2 Registration of application/javascript . . . . . . . . . . . . 6
5. The text/ecmascript Media Type . . . . . . . . . . . . . . . . 7
5.1 Notes on text/ecmascript . . . . . . . . . . . . . . . . . . . 7
5.2 Registration of text/ecmascript . . . . . . . . . . . . . . . 7
6. Registration Details . . . . . . . . . . . . . . . . . . . . . 8
6.1 The charset parameter . . . . . . . . . . . . . . . . . . . . 8
6.2 The version parameter . . . . . . . . . . . . . . . . . . . . 8
6.3 Encoding Considerations . . . . . . . . . . . . . . . . . . . 8
6.4 Security Considerations . . . . . . . . . . . . . . . . . . . 8
6.5 Interoperability Considerations . . . . . . . . . . . . . . . 10
6.6 Published JavaScript specifications . . . . . . . . . . . . . 10
6.7 Published ECMAScript Specifications . . . . . . . . . . . . . 10
6.8 Accessibility Considerations . . . . . . . . . . . . . . . . . 10
7. Notes on Microsoft's JScript language . . . . . . . . . . . . 10
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11
References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 12
Full Copyright Statement . . . . . . . . . . . . . . . . . . . 13
Hoehrmann Expires March 22, 2002 [Page 2]
Internet-Draft JavaScript and ECMAScript Media Types September 2001
1. Introduction
1.1 History and Standardization
JavaScript is a cross-platform, object-based scripting language
originally developed by Netscape Communications Corp. It is beeing
used since 1995 on web pages on the World Wide Web and in various
other environments. In 1997 JavaScript was formally standardized by
TC 39 of the European Computer Manufacturers Association (ECMA) as
ECMA-262 [ECMA-262] ("ECMAScript") and adopted by the International
Standardization Organization (ISO) as ISO/IEC 16262:1998 [ISO16262]
in April 1998.
NOTE: JavaScript is a trademark of Sun Microsystems, Inc. It was
originally called LiveScript. It has nothing to do with the Java
Language.
1.2 Implementations and Usage
Several web browsers support the ability to download programs with an
HTML document and execute them within the browser. These programs
are typically used to interact with the browser user and adding
dynamic features to otherwise static content. The first
implementation of JavaScript was the web browser Netscape Navigator
2.0 developed by Netscape Communications Corporation. But ECMAScript
and JavaScript are by no means limited to browsers or client-side
applications in general. For example, SVG 1.0 [SVG10] (an XML-based
vector graphics format) requires Dynamic SVG Viewers to support
ECMAScript to allow animation of and interaction with the graphic,
and the Netscape Enterprise Server provides a means to use JavaScript
on the server-side. Available Open Source implementations like
SpiderMonkey (<http://www.mozilla.org/js/spidermonkey/>) and Rhino
(<http://www.mozilla.org/rhino/>) ease the usage of these scripting
languages in other domains.
1.3 Rationale
Many common Internet and World Wide Web protocols require the use of
properly registered Media Types to identify the type of local or
remote resources. Unfortunately no Media Types for JavaScript and
ECMAScript were officially registered. As a result of this omission,
private Media Types like application/x-javascript are used to
identify these scripting languages. This memo seeks to regularize
that position by formally registering Media Types for these Scripting
Languages. While it may be ok for some people to use these private
and/or unregistered Media Types, it isn't for others. Some
organizations have strict policies towards standards, thus they may
be unable to use these Scripting Languages at all.
Hoehrmann Expires March 22, 2002 [Page 3]
Internet-Draft JavaScript and ECMAScript Media Types September 2001
This memo does not introduce new Media Types, it just registers the
Media Types used for several years now. It is not acceptable to
break with common practice on million of web sites, thus there has
been no chance to choose Media Types that would potentially be more
appropriate.
NOTE: The author of this memo is not affiliated with any of the
companies and organizations mentioned in this document.
2. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119] .
3. The text/javascript Media Type
3.1 Notes on text/javascript
The Media Type text/javascript is being used for internal scripts in
HTML documents and some external scripts. It should be used in favor
to application/javascript where appropriate. ECMAScript scripts may
be labeled with this Media Type if they are conforming to a given
version of JavaScript.
3.2 Registration of text/javascript
MIME media type name: text
MIME subtype name: javascript
Required parameters: none
Optional parameters:
charset
See Section 6.1 of this document.
version
See Section 6.2 of this document.
Encoding considerations:
See Section 6.3 of this document.
Security considerations:
See Section 6.4 of this document.
Hoehrmann Expires March 22, 2002 [Page 4]
Internet-Draft JavaScript and ECMAScript Media Types September 2001
Interoperability considerations:
See Section 6.5 of this document.
Published specification:
See Section 6.6 of this document.
Applications which use this media type:
See Section 1.2 of this document.
Additional information:
Magic number(s): none
File extension(s): js
Macintosh File Type Code(s): TEXT
Person & email address to contact for further information:
Bjoern Hoehrmann <bjoern@hoehrmann.de>
Intended usage: COMMON
Author/Change controller:
JavaScript is a work product of Netscape Communications
Corporation. Netscape has change control over the JavaScript
specification.
4. The application/javascript Media Type
4.1 Notes on application/javascript
The private Media Type application/x-javascript has been used for
external scripts linked from HTML documents. The leading web server
software Apache (http://httpd.apache.org/) uses it as default type
for files with the file name extension ".js".
Some early implementations of JavaScript may require this Media Type
to recognize JavaScript, but usage of text/javascript is preferred
where compatibility to these implementations isn't required, thus the
registration of application/javascript in this memo lists "LIMITED
USE" as intended usage.
Applications SHOULD support the "x-"-prefixed Media Type
"application/x-javascript" as alias of application/javascript for
compatibility reasons.
ECMAScript scripts MAY be labeled with this Media Type if they are
Hoehrmann Expires March 22, 2002 [Page 5]
Internet-Draft JavaScript and ECMAScript Media Types September 2001
conforming to a given version of JavaScript.
4.2 Registration of application/javascript
MIME media type name: application
MIME subtype name: javascript
Required parameters: none
Optional parameters:
charset
See Section 6.1 of this document.
version
See Section 6.2 of this document.
Encoding considerations:
See Section 6.3 of this document.
Security considerations:
See Section 6.4 of this document.
Interoperability considerations:
See Section 6.5 of this document.
Published specification:
See Section 6.6 of this document.
Applications which use this media type:
See Section 1.2 of this document.
Additional information:
Magic number(s): none
File extension(s): js
Macintosh File Type Code(s): TEXT
Person & email address to contact for further information:
Bjoern Hoehrmann <bjoern@hoehrmann.de>
Intended usage: COMMON
Author/Change controller:
Hoehrmann Expires March 22, 2002 [Page 6]
Internet-Draft JavaScript and ECMAScript Media Types September 2001
JavaScript is a work product of Netscape Communications
Corporation. Netscape has change control over the JavaScript
specification.
5. The text/ecmascript Media Type
5.1 Notes on text/ecmascript
By the best of the author's knowledge, this Media Type has been
introduced by the SVG [SVG10] specifications. It is beeing used
there and defined as the default value for the 'contentScriptType'
attribute of the 'svg' element.
JavaScript scripts may be labeled with this Media Type if they are
conforming to a given revision of ECMA-262.
5.2 Registration of text/ecmascript
MIME media type name: text
MIME subtype name: ecmascript
Required parameters: none
Optional parameters:
charset
See Section 6.1 of this document.
version
See Section 6.2 of this document.
Encoding considerations:
See Section 6.3 of this document.
Security considerations:
See Section 6.4 of this document.
Interoperability considerations:
See Section 6.5 of this document.
Published specification:
See Section 6.7 of this document.
Applications which use this media type:
Hoehrmann Expires March 22, 2002 [Page 7]
Internet-Draft JavaScript and ECMAScript Media Types September 2001
See Section 1.2 of this document.
Additional information:
Magic number(s): none
File extension(s): ecma, es
Macintosh File Type Code(s): TEXT
Person & email address to contact for further information:
Bjoern Hoehrmann <bjoern@hoehrmann.de>
Intended usage: COMMON
Author/Change controller:
ECMAScript is a work product of Technical Committee 39 of the
European Computer Manufacturers Association (ECMA). ECMA has
change control over the ECMA-262 specification.
6. Registration Details
6.1 The charset parameter
The optional parameter "charset" refers to the character encoding
used to represent the ECMAScript respectively the JavaScript document
as a sequence of bytes. Any registered IANA charset may be used, but
UTF-8 is preferred. Although this parameter is optional, it is
strongly recommended that it always be present. This memo doesn't
define any default value for this parameter.
6.2 The version parameter
The optional parameter "version" refers to the version of JavaScript
respectively the revision of ECMA-262 the script is written in. This
memo doesn't define any default value for this parameter.
6.3 Encoding Considerations
For use with transports that are not 8-Bit clean, quoted-printable
encoding is recommended since the majority of characters will be
ECMAScript respectively JavaScript syntax and thus US-ASCII.
6.4 Security Considerations
Programs written in JavaScript or ECMAScript, just like programs
written in other languages, may contain malicious code. Since those
Hoehrmann Expires March 22, 2002 [Page 8]
Internet-Draft JavaScript and ECMAScript Media Types September 2001
scripts are normally executed without further notice to the user,
care has to be taken by implementors in what those scripts are
allowed to do in a given security context. In Web browsers, they are
executed in the security context of the page with which they were
downloaded, and they have restricted access to other resources within
the browser. Early implementations of JavaScript had several
security flaws. The book "JavaScript - The Definitive Guide"
published by O'Reilly and Associates [JSGUIDE] says in chapter 1.5
(quoted with permission):
"In Navigator 2, for example, it was possible to write JavaScript
code that could automatically steal the email address of any
visitor to the page containing the code. More worrisome was the
related capability to send email in the visitor's name, without
the visitor's knowledge or approval. This was done by defining an
HTML form, with a mailto: URL as its ACTION attribute and using
POST as the submission method. With this form defined, JavaScript
code could then call the form object's submit() method when the
page containing the form was first loaded. This automatically
generated mail in the visitor's name to any desired address. The
mail contained the visitor's email address, which could be stolen
for use in Internet marketing, for example. Furthermore, by
setting appropriate values within the form, this malicious
JavaScript code could send a message in the user's name to any
email address."
CERT Advisory CA-1997-20 [CA-1997-20] gives information on further
security flaws in those early implementations:
"The CERT Coordination Center has received reports of a
vulnerability in JavaScript that enables remote attackers to
monitor a user's Web activities. The vulnerability affects
several Web browsers that support JavaScript.
The vulnerability can be exploited even if the browser is behind a
firewall and even when users browse "secure" HTTPS-based
documents."
Fortunately, most known security issues within common implementations
have been fixed in recent versions.
However, these scripting languages are commonly used to manipulate
the document object model of given documents, thus they can be used
to hide information otherwise visible, for example by removing
elements from the document tree. This feature also enables scripts
to initiate transfers of arbitrary network resources, e.g. by
setting the 'src' attribute of the HTML element 'img' to a new URI.
Security considerations on these resources are subject to individual
Hoehrmann Expires March 22, 2002 [Page 9]
Internet-Draft JavaScript and ECMAScript Media Types September 2001
registered types. This also enables scripts to transfer information
on e.g. the browser or the computing environment back to the server.
Consider a browser providing access to information on the browser
itself, the operating system, screen resolution, installed software,
etc. These information could be transferred to the server by
appending a string to the new URI, e.g.
http://host/?os=Win95&browser=IE5. This affects users privacy and
could be used to exploit vulnerabilities.
6.5 Interoperability Considerations
JavaScript is used on million of web sites today and the scripts are
running on different computer platforms and web browsers at least
most of the time. The standardized sibling of JavaScript,
ECMAScript, is meant to further improve interoperability and recently
deployed implementations claim to be conforming to [ECMA-262] .
Additionally, the World Wide Web Consortium (http://www.w3.org)
standardized the Document Object Model (http://www.w3.org/DOM/) used
in various web browsers and recently deployed web browsers claim to
adhere to some Level of the Document Object Model.
6.6 Published JavaScript specifications
As of time of publication of this document, the latest JavaScript
version is 1.4, as formally specified in the Core JavaScript
Reference [JS14] .
6.7 Published ECMAScript Specifications
The latest specification for ECMAScript is ECMA-262, revision 3
[ECMA-262] published by the European Computer Manufacturers
Association in December 1999. The former revision 2 has been adopted
by ISO as ISO/IEC 16262:1998 [ISO16262] in April 1998.
6.8 Accessibility Considerations
Authors using scripts in combination with (X)HTML documents are
encouraged to follow the checkpoints and using the techniques
summarized in the W3C Note "HTML Techniques for Web Content
Accessibility Guidelines 1.0" [WCAGTECHS] section 12 to insure proper
accessibility of their web pages.
7. Notes on Microsoft's JScript language
This memo does not attempt to register a Media Type for Microsoft's
ECMA-262 implementation called "JScript". JScript is not commonly
identified by any MIME type, Microsoft rather uses a "language"
attribute in host documents like the language attribute of the
Hoehrmann Expires March 22, 2002 [Page 10]
Internet-Draft JavaScript and ECMAScript Media Types September 2001
"script" element in HTML. Microsoft claims that JScript is with only
a few minor exceptions a full implementation of the ECMA-262
standard, thus scripts that don't rely on these exceptions MAY be
labeled with text/ecmascript. JScript scripts conforming to a given
level of JavaScript MAY be labeled as text/javascript or
application/javascript. For more information on Microsoft JScript,
refer to <http://msdn.microsoft.com/scripting/>.
8. Acknowledgments
Thanks to Marshall T. Rose for providing RFC 2629 and the xml2rfc
tool used to generate this memo.
References
[CA-1997-20] CERT Coordination Center, "CERT Advisory CA-1997-20 -
"JavaScript Vulnerability"", July 1997,
<http://www.cert.org/advisories/CA-1997-20.html>.
[ECMA-262] European Computer Manufacturers Association,
"ECMAScript Language Specification 3rd Edition",
December 1999, <http://www.ecma.ch/ecma1/stand/ecma-
262.htm>.
[ISO16262] International Organization for Standardization,
"ECMAScript language specification", April 1998,
<http://www.iso.ch/cate/d29696.html>.
[JS14] Netscape Communications Corporation, "JavaScript 1.4
Core Reference Manual", October 1998,
<http://developer.netscape.com/docs/manuals/js/core/
jsref14/contents.htm>.
[JSGUIDE] Flanagan, D., "JavaScript: The Definitive Guide, 3rd
Edition", ISBN 1-56592-392-8, Published by O'Reilly &
Associates, June 1998,
<http://www.oreilly.com/catalog/jscript3/>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997,
<http://www.ietf.org/rfc/rfc2119.txt>.
[SVG10] Ferraiolo, J., "Scalable Vector Graphics (SVG) 1.0
Specification", September 2001,
<http://www.w3.org/TR/2001/REC-SVG-20010904/>.
Hoehrmann Expires March 22, 2002 [Page 11]
Internet-Draft JavaScript and ECMAScript Media Types September 2001
[WCAGTECHS] Chisholm, W., Vanderheiden, G. and I. Jacobs, "HTML
Techniques for Web Content Accessibility Guidelines
1.0", November 2000, <http://www.w3.org/TR/WCAG10-HTML-
TECHS/>.
Author's Address
Bjoern Hoehrmann
am Bededeich 7
D-25899 Dagebuell
Germany
Phone: tel:+49-4667-981028
EMail: bjoern@hoehrmann.de
URI: http://bjoern.hoehrmann.de
NOTE: Please write "Bjoern Hoehrmann" with o-umlaut (U+00F6) wherever
possible, e.g. as "Björn Höhrmann" in HTML and XML.
Hoehrmann Expires March 22, 2002 [Page 12]
Internet-Draft JavaScript and ECMAScript Media Types September 2001
Full Copyright Statement
Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Hoehrmann Expires March 22, 2002 [Page 13]