- From: Ryosuke Niwa <notifications@github.com>
- Date: Tue, 19 Feb 2019 21:54:46 +0000 (UTC)
- To: w3c/webcomponents <webcomponents@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 19 February 2019 21:55:09 UTC
Independent of whether this particular proposal is good or not, JSON files are better than JS files in terms of security because its content can't be loaded cross origin without CORS, and it's a [CORB protected MIME type](https://fetch.spec.whatwg.org/#corb-protected-mime-type). If, for example, the JSON contains information that should be only visible to a logged in user, for example, then it's not sound to turn it into a JS file without a [Cross-Origin-Resource-Policy header](https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header) because such a file could be loaded cross origin without CORS. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/webcomponents/issues/770#issuecomment-465326519
Received on Tuesday, 19 February 2019 21:55:09 UTC