Move security considerations to separate section with references from registrations.

gkellogg · gkellogg · commit 26c20aa5d477 · 2023-07-17T11:14:01.000-07:00
diff --git a/index.html b/index.html
@@ -3888,7 +3888,7 @@ <h3>Using the Document Base for the Default Vocabulary</h3>
     To prevent this divergence of interpretation,
     JSON-LD 1.1 allows term definitions to be <em>protected</em>.
     </p>
-  <p>A <dfn>protected term definition</dfn> is a term definition with an <a>entry</a> <code>@protected</code> set to <code>true</code>.
+  <p>A <dfn class="export">protected term definition</dfn> is a term definition with an <a>entry</a> <code>@protected</code> set to <code>true</code>.
     It generally prevents further contexts from overriding this term definition,
     either through a new definition of the same term,
     or through clearing the context with <code>"@context": null</code>.
@@ -13015,7 +13015,35 @@ <h3>Serializing/Deserializing RDF</h3>
 
 <section id="security">
   <h3>Security Considerations</h3>
-  <p>See, <a href="#iana-security">Security Considerations</a> in <a href="#iana-considerations" class="sectionRef"></a>.</p>
+  <p>See <a data-cite="RFC8259#section-12">RFC&nbsp;8259, section 12</a> [[RFC8259]].</p>
+  <p>Since JSON-LD is intended to be a pure data exchange format for
+    directed graphs, the serialization SHOULD NOT be passed through a
+    code execution mechanism such as JavaScript's <code>eval()</code>
+    function to be parsed. An (invalid) document may contain code that,
+    when executed, could lead to unexpected side effects compromising
+    the security of a system.</p>
+  <p>When processing JSON-LD documents, links to remote contexts and frames are
+    typically followed automatically, resulting in the transfer of files
+    without the explicit request of the user for each one. If remote
+    contexts are served by third parties, it may allow them to gather
+    usage patterns or similar information leading to privacy concerns.
+    Specific implementations, such as the API defined in the
+    JSON-LD 1.1 Processing Algorithms and API specification [[JSON-LD11-API]],
+    may provide fine-grained mechanisms to control this behavior.</p>
+  <p>JSON-LD contexts that are loaded from the Web over non-secure connections,
+    such as HTTP, run the risk of being altered by an attacker such that
+    they may modify the JSON-LD <a>active context</a> in a way that
+    could compromise security. It is advised that any application that
+    depends on a remote context for mission critical purposes vet and
+    cache the remote context before allowing the system to use it.</p>
+  <p>Given that JSON-LD allows the substitution of long IRIs with short terms,
+    JSON-LD documents may expand considerably when processed and, in the worst case,
+    the resulting data might consume all of the recipient's resources. Applications
+    should treat any data with due skepticism.</p>
+  <p>As JSON-LD places no limits on the IRI schemes that may be used,
+    and vocabulary-relative IRIs use string concatenation rather than
+    IRI resolution, it is possible to construct IRIs that may be
+    used maliciously, if dereferenced.</p>
 
   <p class="note">Future versions of this specification
     may incorporate subresource integrity [[?SRI]] as a means of ensuring that cached and retrieved
@@ -13425,7 +13453,7 @@ <h2>IANA Considerations</h2>
   <p>This section has been submitted to the Internet Engineering Steering
     Group (IESG) for review, approval, and registration with IANA.</p>
   
-  <section id="media-type-ld-json">
+  <section id="application-ld-json">
     <h3>application/ld+json</h3>
     <dl>
       <dt>Type name:</dt>
@@ -13469,11 +13497,6 @@ <h3>application/ld+json</h3>
             </dl>
             <p>All other URIs starting with <code>http://www.w3.org/ns/json-ld</code>
               are reserved for future use by JSON-LD specifications.</p>
-            <!--p>Other specifications MAY create further structured subtypes
-              by using `+ld+json` as a suffix for a new base subtype, as in
-              `application/example+ld+json`.
-              Unless defined otherwise, such subtypes use the same
-              fragment identifier behavior as `application/ld+json`.</p-->
             <p>Other specifications may publish additional `profile` parameter
               URIs with their own defined semantics.
               This includes the ability to associate a file extension with a `profile` parameter.</p>
@@ -13493,35 +13516,8 @@ <h3>application/ld+json</h3>
       <dt>Encoding considerations:</dt>
       <dd>See <a data-cite="RFC8259#section-11">RFC&nbsp;8259, section 11</a>.</dd>
       <dt id="iana-security">Security considerations:</dt>
-      <dd>See <a data-cite="RFC8259#section-12">RFC&nbsp;8259, section 12</a> [[RFC8259]]
-        <p>Since JSON-LD is intended to be a pure data exchange format for
-          directed graphs, the serialization SHOULD NOT be passed through a
-          code execution mechanism such as JavaScript's <code>eval()</code>
-          function to be parsed. An (invalid) document may contain code that,
-          when executed, could lead to unexpected side effects compromising
-          the security of a system.</p>
-        <p>When processing JSON-LD documents, links to remote contexts and frames are
-          typically followed automatically, resulting in the transfer of files
-          without the explicit request of the user for each one. If remote
-          contexts are served by third parties, it may allow them to gather
-          usage patterns or similar information leading to privacy concerns.
-          Specific implementations, such as the API defined in the
-          JSON-LD 1.1 Processing Algorithms and API specification [[JSON-LD11-API]],
-          may provide fine-grained mechanisms to control this behavior.</p>
-        <p>JSON-LD contexts that are loaded from the Web over non-secure connections,
-          such as HTTP, run the risk of being altered by an attacker such that
-          they may modify the JSON-LD <a>active context</a> in a way that
-          could compromise security. It is advised that any application that
-          depends on a remote context for mission critical purposes vet and
-          cache the remote context before allowing the system to use it.</p>
-        <p>Given that JSON-LD allows the substitution of long IRIs with short terms,
-          JSON-LD documents may expand considerably when processed and, in the worst case,
-          the resulting data might consume all of the recipient's resources. Applications
-          should treat any data with due skepticism.</p>
-        <p>As JSON-LD places no limits on the IRI schemes that may be used,
-          and vocabulary-relative IRIs use string concatenation rather than
-          IRI resolution, it is possible to construct IRIs that may be
-          used maliciously, if dereferenced.</p>
+      <dd>
+        See <a href="#security" class="sectionRef"></a>.
       </dd>
       <dt>Interoperability considerations:</dt>
       <dd>Not Applicable</dd>
@@ -13688,35 +13684,7 @@ <h3>+ld+json</h3>
       -->
       <dt>Security considerations</dt>
       <dd>
-        See <a data-cite="RFC8259#section-12">RFC&nbsp;8259, section 12</a> [[RFC8259]]
-        <p>Since JSON-LD is intended to be a pure data exchange format for
-          directed graphs, the serialization SHOULD NOT be passed through a
-          code execution mechanism such as JavaScript's <code>eval()</code>
-          function to be parsed. An (invalid) document may contain code that,
-          when executed, could lead to unexpected side effects compromising
-          the security of a system.</p>
-        <p>When processing JSON-LD documents, links to remote contexts and frames are
-          typically followed automatically, resulting in the transfer of files
-          without the explicit request of the user for each one. If remote
-          contexts are served by third parties, it may allow them to gather
-          usage patterns or similar information leading to privacy concerns.
-          Specific implementations, such as the API defined in the
-          JSON-LD 1.1 Processing Algorithms and API specification [[JSON-LD11-API]],
-          may provide fine-grained mechanisms to control this behavior.</p>
-        <p>JSON-LD contexts that are loaded from the Web over non-secure connections,
-          such as HTTP, run the risk of being altered by an attacker such that
-          they may modify the JSON-LD <a>active context</a> in a way that
-          could compromise security. It is advised that any application that
-          depends on a remote context for mission critical purposes vet and
-          cache the remote context before allowing the system to use it.</p>
-        <p>Given that JSON-LD allows the substitution of long IRIs with short terms,
-          JSON-LD documents may expand considerably when processed and, in the worst case,
-          the resulting data might consume all of the recipient's resources. Applications
-          should treat any data with due skepticism.</p>
-        <p>As JSON-LD places no limits on the IRI schemes that may be used,
-          and vocabulary-relative IRIs use string concatenation rather than
-          IRI resolution, it is possible to construct IRIs that may be
-          used maliciously, if dereferenced.</p>
+        See <a href="#security" class="sectionRef"></a>.
       </dd>
 
       <!-- 
