- From: James Browning <notifications@github.com>
- Date: Mon, 18 Nov 2019 23:52:51 -0800
- To: w3c/webcomponents <webcomponents@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/webcomponents/issues/839/555378607@github.com>
> What is the mechanism by which JSON modules will be allowed then? If CSP, that would contradict your earlier statement that "I think there may be some confusion, I'm only proposing *.json application/json be applied as an assertion, it does not actually change the type". It is allowed if it passes the policy, the type is still entirely determined by the `Content-Type` header. Note that is is true that it changes **if it is parsed** but it does **not change how** it is parsed. > That's the only model that works. In fact, that's how Web works today. Look at how stylesheets, scripts, images, etc... are loaded with link & style element. They specify how the content should be processed; e.g. as a stylesheet. This is only partially true, `Content-Type` decides things as well. For example if I send a video `Content-Type` declares the decoder to use. Or if I use `<script type="module" src="some-file">` and send `text/python` then the browser will reject it as currently specified. The entry point determines what to do with the resource, the `Content-Type` distinguishes how to process that resource for that particular goal. It's just a case that things like `<link rel="stylesheet">` only support one type (in this case `text/css`). `import` only tells us to load it as a "module" it doesn't specify the type of module to load. The security implications are important to consider but this is a matter of ensuring resources are what you expect them to be (and people expect `.json` to be `text/json`) so instead of enforcing at every site why not enforce universal expectations (universal within a site at least) universally? > That's a hard & absolute requirement for any solution to this problem. But you're defining the problem to be that developers need to have the parse type at import-site. That's circular, the problem isn't that, it's that we don't want upgrade from JSON->Javascript unexpectedly, the solution of placing the declaration at every call site is one way of doing so. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/webcomponents/issues/839#issuecomment-555378607
Received on Tuesday, 19 November 2019 07:52:54 UTC