- From: Dan Clark <notifications@github.com>
- Date: Wed, 30 Jan 2019 15:26:02 -0800
- To: w3c/webcomponents <webcomponents@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/webcomponents/issues/742/459151800@github.com>
I still want to question whether this is a necessary change to make. @annevk said: > "It seems navigating directly to an HTML module should not result in rendering and script execution. A download seems safer." Is there a security issue? What is the threat? If you want the module to be downloaded when navigated to directly, it could be served with a content-disposition header, which will be ignored when loaded as a module. If you want to differentiate an HTML page's behavior based on whether it's loaded as an HTML module or stand-alone page, you can feature detect whether you are executing a script module as part of an HTML module using `import.meta.document`. Maybe there are use cases like displaying a module's documentation if it's requested as a top-level page. In terms of prior art… fetching module scripts today requires that the mime-type match the existing JS mime-types. Why does an HTML module need a new one? https://html.spec.whatwg.org/multipage/webappapis.html#fetch-a-single-module-script Additionally, a new mime-type comes with costs to roll out the feature in that servers must be configured to map extensions to new mime-types. These are some arguments against a new mime-type; can someone articulate the arguments in favor of a new one? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/webcomponents/issues/742#issuecomment-459151800
Received on Wednesday, 30 January 2019 23:26:24 UTC