From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id /pJCKdjbWmPxXgEAbAwnHQ (envelope-from ) for ; Thu, 27 Oct 2022 21:28:24 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id cC+JJ9jbWmPsgAAA9RJhRA (envelope-from ) for ; Thu, 27 Oct 2022 21:28:24 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4C7611D38E for ; Thu, 27 Oct 2022 21:28:24 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oo8PE-00030Z-D3; Thu, 27 Oct 2022 15:19:08 -0400 Received: from eggs.gnu.org ([209.51.188.92]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oo8P7-0002z6-Cw for emacs-orgmode@gnu.org; Thu, 27 Oct 2022 15:19:01 -0400 Received: from stw1.rcdrun.com ([217.170.207.13]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oo8P4-0001Zw-E7 for emacs-orgmode@gnu.org; Thu, 27 Oct 2022 15:19:00 -0400 Received: from localhost ([::ffff:102.85.119.94]) (AUTH: PLAIN admin, TLS: TLS1.3,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by stw1.rcdrun.com with ESMTPSA id 0000000000081D92.00000000635AD981.000042C3; Thu, 27 Oct 2022 12:18:25 -0700 Date: Thu, 27 Oct 2022 20:58:21 +0300 From: Jean Louis To: Max Nikulin Cc: 58774@debbugs.gnu.org, Org Mode List Subject: Re: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly Message-ID: Mail-Followup-To: Max Nikulin , 58774@debbugs.gnu.org, Org Mode List References: <86bkq0qf8p.fsf@protected.rcdrun.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/2.2.7+37 (a90f69b) (2022-09-02) Received-SPF: pass client-ip=217.170.207.13; envelope-from=bugs@gnu.support; helo=stw1.rcdrun.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Emacs-orgmode" Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1666898904; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=49FkFD5TjzhIk8GtKNVq+k/MmIsFj7nL+i97CTGvtic=; b=qoDwZrYVGcEV3juauUNFbbFSoDo8cHTORhcO+TeOoHTnXfOAe1OJoAJIzCXbDDk12oCjpZ 8NXQmBdalHAIIw/644LYEJOTZgEjBcGm9KqHbbnDgUiJCSZOsVubF8HEVbAEjjiRmyjyzW 4b/NnJGxyioSYhaPihTKvzn6wO0Qwjvekok3+v7g+ShdxPZhFAtiLoowpZL7XfUnGtp0Pf 12YxGPhy8P15TH10cfvZpvFI8+PorLFsUP4gwJDQLaesJy2ljxmobn/LSp0tU1zjLTc9b1 Vqmm4REqvkDskbUPEvTuClYLYpC226Xx4Pw0aT8SMtqfQrp08NEo0mIEmKXWQw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1666898904; a=rsa-sha256; cv=none; b=sOjvYNmhS3YEhCnSmlJ42AfjprQW+IjrEFnyKvQ9dn8Ux8mWw9G/V6G102wB3goL9IKQ3F k8f+Fd0RiWoDCaUJQEpqtKNcoGC1NXQCamfXS2W3twbURG9gWHY8pFwQrDTTRMksrC1ciV SJFgV3pdq5bav8tgO23STyxxMiSbxmDhmBLLlNPLceiSFJpKMCzzJY5KRDiHQp3ctc4g+f 4FIYk9aLmrAm7eYWLbZOc8wryrzdIXvD781mCNSuF2fRE/r5RFnHjpKABYnlQx+WjvrNvk 87lsqIg8mraIMCh5euYN71sLfmWRL2Qfb6DChIglu/oERB5vPfvdzxIeBfD2rQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -1.21 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 4C7611D38E X-Spam-Score: -1.21 X-Migadu-Scanner: scn1.migadu.com X-TUID: cgQZY00q3VsH * Max Nikulin [2022-10-27 18:40]: > On 27/10/2022 11:55, Jean Louis wrote: > > > > Now is clear that main problem here is that Org advertises somewhere > > to be "text" in MIME context, while it is not, it is by default > > "application" and thus unsafe, see: > ... > > Text Media Types > > https://datatracker.ietf.org/doc/html/rfc6838#section-4.2.1 > > I do not see any problem or any difference what MIME type you are going to > associate with Org mode. I agree with Arne that text/... type is more > appropriate for a format readable as text. I do not see any contradictions > with that RFC. You were the one speaking and reporting that Org executes Emacs Lisp. And now you imply that it is safe to open it because it is text? 👀 If Org or any file implies possible execution when loaded, and Org implies it, it is not any more "text/*" MIME type. From: https://datatracker.ietf.org/doc/html/rfc6838#section-4.2.5 > 4.2.5. Application Media Types > The "application" top-level type is to be used for discrete data that > do not fit under any of the other type names, and particularly for > data to be processed by some type of application program. This is > information that must be processed by an application before it is > viewable or usable by a user. That is exactly the case with Org. Of course, one could minimize org file to empty string, and say this is Org file and there is no execution necessary, so it is "text". Otherwise information must be processed by application which is clearly the Org package before it is viewable or usable by a user. > Expected uses for the "application" type name include but are not > limited to file transfer, spreadsheets, presentations, scheduling > data, and languages for "active" (computational) material. ✔️ YES, we have spreadsheets in Org which results may be viewable only after computed. ✔️ YES, we have scheduling data, which is viewable only in Org agenda or by using computations. ✔️ YES, we have languages for active computational material. > (The last, in particular, can pose security problems that must be > understood by implementors. The "application/postscript" media type > registration in [RFC2046] provides a good example of how to handle > these issues.) > For example, a meeting scheduler might define a standard > representation for information about proposed meeting dates. ✔️ YES, we have that functionality in Org. > An intelligent user agent would use this information to conduct a > dialog with the user, and might then send additional material based > on that dialog. > More generally, there have been several "active" languages developed > in which programs in a suitably specialized language are transported > to a remote location and automatically run in the recipient's > environment. Such applications may be defined as subtypes of the > "application" top-level type. ✔️ YES, that is exactly what we have in Org mode, as Babel allows executions of several active languages, and by transferring Org files, to remote location they may be automatically run in the recipient's environment. > The subtype of "application" will often either be the name or include > part of the name of the application for which the data are intended. > This does not mean, however, that any application program name may > simply be used freely as a subtype of "application"; the subtype needs > to be registered. -- Jean Take action in Free Software Foundation campaigns: https://www.fsf.org/campaigns In support of Richard M. Stallman https://stallmansupport.org/