-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implicite assert type #4
Comments
What you suggest is actually permitted by this proposal in its current form. This proposal requires that if a Reviewing various comments (1), (2) in the security thread, I think it's unlikely that stakeholders there will be willing to introduce any reliance on file extension even in this scoped case. There is long precedent against it, and investigation has shown that there are surprising mismatches between file extension and actual content type on the web today. If you want to make this case, though, this JSON modules proposal permits hosts to omit the assertion, so the people to convince would be the web folks in that security thread who are against any use of the file extension. |
Thanks for the clarification. It wasn't that obvious that the specification allowed implicite |
After reading the proposal, and as a web developer I was slightly uneasy with an aspect of the JSON module syntax:
Because of the
.json
extension it feels like having theassert
is, in this specific case, somewhat redundant.I get through the whole security thread about the necessity to explicitly state the nature of what is imported and fully agree on the risk and mitigation suggested there. That said, I tend to think that we could introduce some basic heuristic to ease developer work (and adoption).
I would tend to suggest that if the URL in the import ends up with a
.json
extension we should assumeassert { type: "json" }
because it is the most basic web developer intent. On the other hand if a developer decide to serve some non-json content with a.json
extension, then we should just fail at parsing the content as JSON. But if the developer think that this is something legit then in that case, it would make sens to ask them to opt-in for interpretation with for exampleassert { type: "ecmascript" }
. This is counter intuitive but could be necessary in some weird cases.So to summaries, I'm suggesting something along that line:
Regarding dynamic import I would not get into that same suggestion for a simple fact: because the first argument of
import()
can be hidden behind a variable name, the intent of the developer can't be as clear as they think and in that case requiring an explicit type parsing is safer.The text was updated successfully, but these errors were encountered: