Re: [w3c/webcomponents] HTML, CSS, and JSON modules shouldn't solely rely on MIME type to change parsing behavior (#839) from Ryosuke Niwa on 2019-09-20 (public-webapps-github@w3.org from September 2019)

From: Ryosuke Niwa <notifications@github.com>
Date: Thu, 19 Sep 2019 18:38:22 -0700
To: w3c/webcomponents <webcomponents@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/webcomponents/issues/839/533368657@github.com>

> I think @justinfagnani's point here is interesting and I want to second it. Even aside from security concerns, JSON imports seem like the wrong tool for consuming non-first-party JSON/CSS.

Regardless of whether it's a good idea or not, some web developers are inevitably going to do it. We shouldn't be adding a new foot gun to the Web so that authors can avoid using it in certain situations to avoid creating a new security surface.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webcomponents/issues/839#issuecomment-533368657

Received on Friday, 20 September 2019 01:38:44 UTC