-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Review different cross-domain import mechanisms and their security models #157
Comments
See also w3ctag/design-reviews#375 (JSON modules) |
@cynthia, do you think you could also take a look at this one? |
I think we should take this up as an issue on our Design Principles document, so I propose transferring this issue to that repo. Thoughts? |
Yes, transfer to the design principles repo |
Yes, sounds good to me as well. This was briefly discussed in Breakout B today; minutes should be posted on Wednesday after the plenary. |
Transferring. I'll take the action to write a PR for this. |
I think we should wait for the ES Module Attributes and JSON modules proposal to advance to Stage 3. At that point, we should do a design review of it, and evaluate if we need to add a principle here. |
I wrote:
It's Stage 3 now.
Done: w3ctag/design-reviews#535
Personally, I think this issue is well in hand and we don't need to add a principle here. |
@hober and I discussed this during the "Cork" "F2F. Looking at the issue at hand, while this is indeed a pretty high-impact problem generally the principles is based on specific antipatterns we have seen in API designs. For this we only have one case, so it feels like this should be treated as a design review problem and see if there are any best practices to extract from the outcome of it, which could potentially be a future principle. But for the time being, it feels a bit preemptive to write a separate section at this point. |
Resolved to close this in the breakout 11/12 summary session today. |
During #TC39 73 I’ve learned about ES Modules Attributes being proposed to address security concerns when importing JSON modules: ES Module Attributes. Filing this design issue for the TAG to more broadly consider various web-based cross-domain import mechanisms like HTML Modules (334), CSS Modules (405), and ES Modules. Specifically I request the TAG analyze and provide clarity on the exact security model or models and hopefully some degree of consistency and explicit architectural design across these mechanisms.
See the following related issues and efforts:
From a web author, developer, publisher perspective, a more consistent and understandable security model across these would help with easier understanding and better chance of conveying author intent. Thanks for your consideration!
(Originally published at: https://tantek.com/2019/339/b1/cross-domain-import-mechanisms-security)
The text was updated successfully, but these errors were encountered: