Media type registration

[lanthaler]

IANA reviewed our media type and has some questions:

Security considerations :

Since JSON-LD is intended to be a pure data exchange format for directed
graphs, the serialization SHOULD NOT be passed through a code execution
mechanism such as JavaScript's eval() function to be parsed.

This could be a little more explicit: I take the risk to be that since
the content can be essentially anything, it could produce unexpected
and even dangerous results.

I would say the first thing we should do here is to reference RFC4627 (JSON). Maybe changing the first sentence to

JSON-LD is, just as JSON [RFC4627], a pure data interchange format...

Not sure what else we could add, maybe something like:

... to be parsed. Evaluating the data as code can lead to unexpected side effects compromising the security of a system.

JSON-LD contexts that are loaded from the Web over non-secure connections,
such as HTTP, run the risk of modifying the JSON-LD active context in a way
that could compromise security. It is advised that any application that depends
on a remote context for mission critical purposes vet and cache the remote
context before allowing the system to use it.

Is some commentary in regards to privacy considerations needed here?

I would propose to say something like:

When processing JSON-LD documents, links to remote contexts are typically followed automatically, resulting in the transfer of files without the explicit request of the user for each one. If remote contexts are served by third parties, it may allow them to gather usage patterns or similar information.

Thoughts? Or maybe better formulations? :-)

[lanthaler]

RESOLVED: In the security considerations section, reference RFC4627 and add text explaining that evaluating the data as code can lead to unexpected side effects compromising the security of a system.

RESOLVED: Add the following text to the Security Considerations section: When processing JSON-LD documents, links to remote contexts are typically followed automatically, resulting in the transfer of files without the explicit request of the user for each one. If remote contexts are served by third parties, it may allow them to gather usage patterns or similar information leading to privacy concerns. Explain that this can be controlled through effective use of the API.

[lanthaler]

OK, I've sent the response to IANA and updated the spec.

[joepio]

I can't find jsonld anywhere in the IANA MIME registry. Did IANA reject the submission, or am I missing something?

[DiegoPino]

There it is https://www.iana.org/assignments/media-types/application/ld+json Diego Pino Navarro Digital Repositories Developer Metropolitan New York Library Council (METRO)

[joepio]

That's strange, because it's not in any of the index representations (HTML, XML, CSV, Plaintext).

I can find all other relevant RDF formats. Shall I contact IANA, or is there a valid reason for why JSON-LD is missing from the indexes?

[DiegoPino]

@joepio its there. But its application/ld+json, since JSON is also application based mime type. This has been the same mime type for the last 5-6 years and used in API calls, etc everywhere and adopted in my places as part of the HTTP interactions with the format. Also not going to change (guess)

[joepio]

Ah, of course. I was ctrl+f'ing jsonld and json+ld, I feel like an idiot.