Re: [w3c/webcomponents] HTML, CSS, and JSON modules shouldn't solely rely on MIME type to change parsing behavior (#839) from Justin Fagnani on 2019-09-18 (public-webapps-github@w3.org from September 2019)

From: Justin Fagnani <notifications@github.com>
Date: Wed, 18 Sep 2019 09:04:32 -0700
To: w3c/webcomponents <webcomponents@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/webcomponents/issues/839/532753320@github.com>

Imports as inherently dangerous, and this is why CSP allows for restricting the origin for scripts. That should apply to all imports, regardless of type.

Importing JSON should only be done for trusted sources, and shouldn't in general be done for calling third party APIs (and arguably shouldn't be done for 1st party APIs if you don't want your module graph to fail to load if the API call fails). `fetch()` is much more appropriate for that.

Regarding server-side polyfills, this should still work if the client sends the appropriate `Accept` header.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webcomponents/issues/839#issuecomment-532753320

Received on Wednesday, 18 September 2019 16:04:54 UTC