-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Import assertions and CSP #115
Comments
It sounds to me like the use as a CSP policy indicator may require a clarification to this specification point:
Where we explicitly note that it may influence other guarding security layer interpretations such as CSP, as long as they do not involve functional reinterpretations of the module. |
since CSP just rejects or allows, it seems like it would already be in keeping with the proposal. |
Well, it would end up changing the interpretation of the module specifier. I.e., how it ends up mapping to a request. But maybe "must not influence" is vague enough. |
@annevk as long as the presence of the assertion either gives you "the same module" or "fails to load", i think it's fine - iow, "the interpretation of the module" only matters if it actually loads. I'm assuming that a failing CSP check would fail the module graph, as opposed to loading a different module? |
Sure, but I still think that statement could use some clarification (or reduction in scope). |
The invariant has been relaxed to permit what HTML needs. Thanks everyone for taking part in the discussion! I'm closing this issue, as any discussion should now continue on the HTML side at whatwg/html#7233. |
@annevk brought up an important discussion in whatwg/html#7233. Currently CSS and JSON modules are falling under the
script-src
CSP policy by virtue of their integration into the module system.CSP requires an upfront indicator of the policy in play in order to perform its security checks.
Import assertions might be a way to inform the CSP policy type for a given resource.
Is this a direction this specification would want to take a position on or does the existing spec allow and or encourage such directions for HTML?
The text was updated successfully, but these errors were encountered: