On Monday, January 8, 2024 at 7:59:23 PM UTC+1 nrib...@igalia.com wrote:
Hello, For those looking for the spec diff relative to this change, you can find it in the HTML and Fetch PRs that introduced it: https://github.com/whatwg/ html/pull/9486, https://github.com/whatwg/fetch/pull/1691 --- Nicolò Ribaudo On Monday, January 8, 2024 at 2:20:43 PM UTC+1 Nicolò Ribaudo wrote: Contact emails nrib...@igalia.com Explainer None Specification https://html.spec.whatwg.org/#fetch-a-single-module-script Summary CSS and JSON modules will be fetched using a specific fetch destination (either "css" or "json") rather than a generic "script", that is normally used for JavaScript modules. This has the following effects: - the `Accept` HTTP header in the request will describe the expected mime type (`text/css,*/*;q=0.1` or `application/json,*/*;q=0.5`) - those modules will respect the style-src or connect-src Content Security Policies, rather than using JavaScript's script-src - When inspecting the request's destination (either through a service worker or through the `Sec-Fetch-Destination` HTTP header) it will be reported as `"css"` or `"json"`, rather than empty. Can you confirm that you meant "style" destination for CSS modules, rather than "css"? That's what seemed to be defined in the spec PR, and it also makes more sense IMO. (as it aligns with <link rel=stylesheet>, and doesn't a new destination for CSS modules) Blink component Blink>HTML>Modules <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EHTML%3EModules> Search tags CSS modules <https://chromestatus.com/features#tags:CSS%20modules>, JSON modules <https://chromestatus.com/features#tags:JSON%20modules>, imports <https://chromestatus.com/features#tags:imports>, CSP <https://chromestatus.com/features#tags:CSP>, fetch destination <https://chromestatus.com/features#tags:fetch%20destination> TAG review None TAG review status Not applicable Risks Interoperability and Compatibility None *Gecko*: No signal *WebKit*: Positive (https://github.com/WebKit/standards-positions/issues/128) Webkit was supportive of the import attributes proposal conditional on these changes to how JSON/CSS modules are fetched *Web developers*: No signals *Other signals*: Security This feature better aligns usage of CSP directives to user expectations (e.g. using style-src for CSS) WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Debuggability None Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)? No Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? Yes - https://wpt.fyi/results/fetch/api/request/destination/fetch- destination.https.html - https://wpt.fyi/results/content-security-policy/ connect-src/connect-src-json-import-allowed.sub.html - https://wpt.fyi/results/content-security-policy/ connect-src/connect-src-json-import-blocked.sub.html - https://wpt.fyi/results/content-security-policy/style- src/import-style-allowed.sub.html - https://wpt.fyi/results/ content-security-policy/style-src/import-style-blocked.sub.html Flag name on chrome://flags None Finch feature name kFetchDestinationJsonCssModules Requires code in //chrome? False Tracking bug https://bugs.chromium.org/p/chromium/issues/detail?id=1491336 Estimated milestones No milestones specified Anticipated spec changes None Link to entry on the Chrome Platform Status https://chromestatus.com/ feature/4839834432831488 This intent message was generated by Chrome Platform Status <https://chromestatus.com>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/35742f72-c4b9-4e61-addb-6aa061bae9efn%40chromium.org.
