Re: [w3c/webcomponents] HTML, CSS, and JSON modules shouldn't solely rely on MIME type to change parsing behavior (#839) from Justin Fagnani on 2019-12-06 (public-webapps-github@w3.org from December 2019)

From: Justin Fagnani <notifications@github.com>
Date: Fri, 06 Dec 2019 10:47:05 -0800
To: w3c/webcomponents <webcomponents@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/webcomponents/issues/839/562691873@github.com>

> > Is it OK for WebAssembly modules to have parsing behavior based on their MIME type? That's what the current proposal does.
> 
> That’s not ideal but less problematic because the expectation of loading WASM & JS are similar: they execute arbitrary scripts. It’s not so with CSS & JSON.

In think about this a bit today... WASM doesn't have access to the DOM, correct? So an author could assume a WASM module has restricted access if it's not explicitly passed functions to allow it DOM access. If a file previously served as `application/wasm` was later served with `application/javascript`, would this present a similar security concern?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webcomponents/issues/839#issuecomment-562691873

Received on Friday, 6 December 2019 18:47:08 UTC