Document security implications of property generators and IRI abbreviation
authorMarkus Lanthaler <mark_lanthaler@gmx.net>
Sun, 17 Feb 2013 14:17:03 +0100
changeset 1284 246d44385d11
parent 1283 66a38a8f9b45
child 1285 de96adbad82e
Document security implications of property generators and IRI abbreviation

This addresses #215.
spec/latest/json-ld-syntax/index.html
--- a/spec/latest/json-ld-syntax/index.html	Sun Feb 17 13:41:13 2013 +0100
+++ b/spec/latest/json-ld-syntax/index.html	Sun Feb 17 14:17:03 2013 +0100
@@ -3306,20 +3306,24 @@
     </dl>
   </dd>
   <dt>Encoding considerations:</dt>
-  <dd>The same as the <code>application/json</code> MIME media type.</dd>
+  <dd>See RFC&nbsp;6839, section 3.1.</dd>
   <dt>Security considerations:</dt>
   <dd>Since JSON-LD is intended to be a pure data exchange format for
     directed graphs, the serialization SHOULD NOT be passed through a
     code execution mechanism such as JavaScript's <code>eval()</code>
-    function. It is RECOMMENDED that a conforming parser does not attempt to
-    directly evaluate the JSON-LD serialization and instead purely parse the
-    input into a language-native data structure. <br/>
+    function to be parsed.<br/>
     JSON-LD contexts that are loaded from the Web over non-secure connections,
     such as HTTP, run the risk of modifying the JSON-LD
     <tref>active context</tref> in a way that could compromise security. It
     is advised that any application that depends on a remote context for mission
     critical purposes vet and cache the remote context before allowing the
-    system to use it.</dd>
+    system to use it.<br />
+    JSON-LD allows the substitution of long IRIs with short terms and the
+    compression of multiple properties into a single property generator. Therefore,
+    JSON-LD documents may expand enormously when processed and, in the worst case,
+    the resulting data might consume all of the recipient's resources. Applications
+    should treat any data with due skepticism.
+  </dd>
   <dt>Interoperability considerations:</dt>
   <dd>Not Applicable</dd>
   <dt>Published specification:</dt>