Re: [community-group] How to define a token that references a local file? (#132) from Drew Powers via GitHub on 2023-12-07 (public-design-tokens-log@w3.org from December 2023)

From: Drew Powers via GitHub <sysbot+gh@w3.org>
Date: Thu, 07 Dec 2023 00:55:30 +0000
To: public-design-tokens-log@w3.org
Message-ID: <issue_comment.created-1843957684-1701910528-sysbot+gh@w3.org>

This is an old issue, but I’d love to see this revisited, as icons are an important part of every DS and I do think this is a core token type.

I’m strongly in favor of [@CITguy’s most recent proposal](https://github.com/design-tokens/community-group/issues/132#issuecomment-1185995569) (especially the URL Living Standard bit) and think it would work well.

---

> Downloading files always has security implication

To reference how the web, a traditionally insecure platform, has handled it: the [link tag](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/link) marks a reference to a local or remote resource. It marks a **relationship** to the source to designate what’s done with it. And while a few built-in types are understood and executed (`stylesheet` for CSS, `shortcut icon` for favicons, etc.), many are simply ignored.

Perhaps there could be some hint as part of the schema, e.g: 

```json
{
  "icons": {
    "$type": "file",
    "alert": {
      "$value": {
        "rel": "icon",
        "url": "https://cdn.foobar.com/icons/alert.svg"
      }
    }
  }
}
```

_Note: `rel` is a bad name; just using it as a placeholder_

Perhaps there are a small number of `rel`s that are recommended, such as:

- `icon`
- `image`
- `video`
- `font` (as in the actual `.ttf` or `.woff2` itself)
 
And the rest can be up to tooling to respect or ignore (similar to how `$extensions` work).

This hopefully solves some of the security issues, because many systems can do basic checks on this (e.g. “I was expecting `rel: "icon"` but the server returned a mimetype of `application/zip` so I’ll throw an error). This could also be more extensible than having 1 token type for icons, images, etc.

-- 
GitHub Notification of comment by drwpow
Please view or discuss this issue at https://github.com/design-tokens/community-group/issues/132#issuecomment-1843957684 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 7 December 2023 00:55:33 UTC