Andrea: That is a really interesting approach. I would point out that using
data URIs for js means the `data:` scheme has to be a permitted source for
script-src. This allowance has roughly the same security implications as
permitting `unsafe-eval`. I know most people aren’t using CSPs yet, but
personally I’d be wary of a solution that makes it harder to adopt a strong
CSP.
A super dorky/tangential aside that probably doesn’t matter at all but ...
I notice you used application/javascript for the media type. There’s a
contradiction between the IANA media type registry and the HTML 5 spec with
regard to the "correct" media type to use for JS. RFC 4329 says
application/javascript is the only value that should be used, while HTML
says text/javascript is the only value that should be used. I believe (not
sure though) that this is because it’s the most backwards-compatible value.
Given that the media types registry seems to be basically dead to web
standards (if we follow the registry we can’t serve or post a bunch of
media types acknowledged or defined by web standards at all, including
image/webp, application/csp-report, etc) and the code has to run in a
browser, I’d tend to think HTML is the better spec to follow ... though I
guess when two specs contradict each other it’s hard to make an objective
case for one being more authoritative. (I’d be curious if there’s a
specific reason you know of to prefer to RFC definition though. When
standards don’t align it breaks my tiny heart.)
On Tue, Jun 19, 2018 at 4:09 PM Andrea Giammarchi <
andrea.giammar...@gmail.com> wrote:
> sorry, I meant:
>
> JSON.stringify('data:text/javascript,' + moduleContentAfterTreeShaking);
>
>
> On Tue, Jun 19, 2018 at 10:09 PM, Andrea Giammarchi <
> andrea.giammar...@gmail.com> wrote:
>
>>
>> I think these are all nice to have features, but I also think we have all
>>> the primitives we need to make it happen via pre-processing.
>>>
>>>>
>> I meant even synchronously, with a pre-processor that replace the
>> imported module with
>>
>> 'data:text/javascript,' + JSON.stringify(moduleContentAfterTreeShaking);
>>
>
>
_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss
