Re: [w3c/webcomponents] HTML, CSS, and JSON modules shouldn't solely rely on MIME type to change parsing behavior (#839) from Ryosuke Niwa on 2019-09-18 (public-webapps-github@w3.org from September 2019)

From: Ryosuke Niwa <notifications@github.com>
Date: Wed, 18 Sep 2019 15:33:28 -0700
To: w3c/webcomponents <webcomponents@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/webcomponents/issues/839/532892398@github.com>

> Imports as inherently dangerous, and this is why CSP allows for restricting the origin for scripts. That should apply to all imports, regardless of type.

Given that many websites don't use CSP correctly, relying on websites to correctly deploy CSP to get the right security behavior is not a great plan.

Furthermore, today, if you were to fetch JSON via XHR or fetch API and parse it via `JSON.parse`, there is no chance of the fetched JSON suddenly executing as scripts. This new module loading mechanism, therefore, is a functional regression from existing loading mechanisms.

We believe this security issue is a show stopper issue for HTML, CSS, and JSON modules.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webcomponents/issues/839#issuecomment-532892398

Received on Wednesday, 18 September 2019 22:34:10 UTC