Review result: Ready



I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.



This INFORMATIONAL document is intended to replace RFC 4329 (also
INFORMATIONAL), updated to reflect current practice. The biggest change
appears to be recommending that javascript, when embedded in html, should
use the tag “text/javascript” rather than “application/javascript” while
acknowledging that the two should be considered to be synonyms (along with
 text/ecmascript, text/javascript1.0, text/javascript1.1,
text/javascript1.2, text/javascript1.3, text/javascript1.4,
text/javascript1.5, text/jscript, text/livescript, text/x-javascript,
text/x-ecmascript, application/x-javascript, application/x-ecmascript, and
application/ecmascript).



Security considerations notes that embedding javascript in html is
dangerous and implementers should take care to see nothing bad happens.