[w3c/webcomponents] HTML, CSS, and JSON modules shouldn't solely rely on MIME type to change parsing behavior (#839) from Ryosuke Niwa on 2019-09-18 (public-webapps-github@w3.org from September 2019)

From: Ryosuke Niwa <notifications@github.com>
Date: Tue, 17 Sep 2019 21:51:49 -0700
To: w3c/webcomponents <webcomponents@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/webcomponents/issues/839@github.com>

As we discussed in [TPAC 2019 Web Components session](https://www.w3.org/2019/09/17-components-minutes.html#item18), the current proposal / spec of HTML, CSS, and JSON modules do not specify the type of content in the import statement.

This is problematic because an import statement that intended to load CSS or JSON and not execute arbitrary scripts could end up executing scripts if the destination server's MIME type got changed or the destination server get compromised.

In general, we've made so that the importer of any content can specify how the imported content should be parsed & processed. This is one of the motivations for adding CORS fetch for JSON as opposed to JSONP for example.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webcomponents/issues/839

Received on Wednesday, 18 September 2019 04:52:11 UTC