Re: [w3c/webcomponents] HTML, CSS, and JSON modules shouldn't solely rely on MIME type to change parsing behavior (#839) from Shu-yu Guo on 2019-10-10 (public-webapps-github@w3.org from October 2019)

From: Shu-yu Guo <notifications@github.com>
Date: Wed, 09 Oct 2019 17:32:56 -0700
To: w3c/webcomponents <webcomponents@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/webcomponents/issues/839/540267482@github.com>

How do feel folks about solving the narrower problem of importing things that shouldn't execute instead of the problem of importing things of different formats? That's the crux of the security concern as I understand it, not the need to support different formats.

I'm with @annevk that there's nothing host-specific about wanting JSON to not execute script. I like the idea of passing metadata via import to the host, but ISTM an NX bit should be directly conveyed.

To build on Dan's earlier strawman syntax:

```js
import doc from "./foo.json" with noexecute;
```

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webcomponents/issues/839#issuecomment-540267482

Received on Thursday, 10 October 2019 00:33:02 UTC