Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Import assertions and CSP #115

Closed
guybedford opened this issue Oct 19, 2021 · 6 comments
Closed

Import assertions and CSP #115

guybedford opened this issue Oct 19, 2021 · 6 comments

Comments

@guybedford
Copy link

@annevk brought up an important discussion in whatwg/html#7233. Currently CSS and JSON modules are falling under the script-src CSP policy by virtue of their integration into the module system.

CSP requires an upfront indicator of the policy in play in order to perform its security checks.

Import assertions might be a way to inform the CSP policy type for a given resource.

Is this a direction this specification would want to take a position on or does the existing spec allow and or encourage such directions for HTML?

@guybedford
Copy link
Author

guybedford commented Oct 19, 2021

It sounds to me like the use as a CSP policy indicator may require a clarification to this specification point:

moduleRequest.[[Assertions]] must not influence the interpretation of the module or the module specifier

Where we explicitly note that it may influence other guarding security layer interpretations such as CSP, as long as they do not involve functional reinterpretations of the module.

@ljharb
Copy link
Member

ljharb commented Oct 19, 2021

since CSP just rejects or allows, it seems like it would already be in keeping with the proposal.

@annevk
Copy link
Member

annevk commented Oct 20, 2021

Well, it would end up changing the interpretation of the module specifier. I.e., how it ends up mapping to a request. But maybe "must not influence" is vague enough.

@ljharb
Copy link
Member

ljharb commented Oct 20, 2021

@annevk as long as the presence of the assertion either gives you "the same module" or "fails to load", i think it's fine - iow, "the interpretation of the module" only matters if it actually loads.

I'm assuming that a failing CSP check would fail the module graph, as opposed to loading a different module?

@annevk
Copy link
Member

annevk commented Oct 20, 2021

Sure, but I still think that statement could use some clarification (or reduction in scope).

@nicolo-ribaudo
Copy link
Member

The invariant has been relaxed to permit what HTML needs. Thanks everyone for taking part in the discussion!

I'm closing this issue, as any discussion should now continue on the HTML side at whatwg/html#7233.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants