-
Notifications
You must be signed in to change notification settings - Fork 337
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What is the right destination type for non-JS modules? #967
Comments
I think bypassing nosniff if you're enforcing MIME types yourself is fine. (Also, this all requires CORS, which helps a lot.) I think the tricky bit with changing destination is that it's a single value and you might accept multiple types. If you accept JSON or JS, what's the destination? Does the server need to know both are acceptable? (tc39/proposal-import-attributes#7) Furthermore, if you accept Wasm, does that mean you're also accepting JS or for that Wasm to import JS? (tc39/proposal-import-attributes#19) |
I suspect the right answer here is not to change destination, precisely because it is developer-facing in Part of the reason we did In other words, we have multiple factors that go into script loading:
We decided not to merge type into destination, and I suggest we do the same for category. Destination is a good independent axis, as-is. |
OK, how should we phrase the logic to turn off nosniff? Should we add "category" to the request, or add a simpler bit to request as @annevk suggested just to turn off this particular thing? For CSS modules, do we have to worry about sending the right |
I think we should offer the server the Category information, in particular as there might be multiple acceptable Categories for a given URL. There's an alternative where Category is a single value and signifies the privilege of the response, but that's not useful for signalling that a worker cannot import a CSS module (which would have the same privilege as JSON, presumably). |
OK, making an additional "category" parameter to request SGTM as a starting point for a future proposal here. I don't have any strong reason to suspect from here that we'll need to change the destination, so I'm closing this issue. Thanks for talking this through. |
In the now-reverted JSON module PR in HTML, the request destination was (accidentally) "script". As discussed in the PR, this is probably a bug: If the server responds with nosniff headers, then the response will be rejected, since the JSON MIME types are not JS MIME types.
In that JSON module PR, the general model was that the server would respond with a MIME type that indicates the module type; the client doesn't know what type the module will be until it gets the response, so of course it would use the "script" destination. However, with the discussion in WICG/webcomponents#839, and the TC39 module attributes proposal, it's possible that the client would indicate something about what kind of module it's expecting back. This could feed into the destination.
In general, what destinations should we use for non-JS module types, such as WebAssembly modules, HTML modules, CSS modules, and JSON modules?
I see two general paths:
Some considerations:
<link rel=modulepreload>
(which currently requires a script-like destination) as well as in the destination attribute in Requests in ServiceWorker.Thoughts?
(thanks to @annevk and @slightlyoff in explaining a bunch of these concepts to me.)
The text was updated successfully, but these errors were encountered: