Good news: this is already part of the spec (and this implementation). For module scripts (loaded either via <script type=module>, an import declaration in a module script, or via this new import() API), the HTML spec requires an appropriate JavaScript mime type. See https://html.spec.whatwg.org/#fetch-a-single-module-script step 7 for the spec text.
On Thu, Jul 6, 2017 at 11:37 AM, drx via blink-dev <[email protected]> wrote: > This is a good opportunity to get more strict about content type > validation. > > It looks like the current behavior in Chrome is that specific media > content types (png, etc.) will not be loaded as script, but other > non-script types (at least application/octet-stream and text/plain) will > load as script. > > I'd like to propose that import() switch to an allow-list strategy. Since > import() is a new API, we have the ability to lock down here without > breaking existing sites. Maybe it's not too late to do the same with the > import > statement > <https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/import> > as well. > > Would it be appropriate to include the allow-list requirement in either of > the specs associated with this intent to implement? > > I bounced this around some web security folks within Google and there is > agreement that an allow-list would be a good thing. Also, from Eric > Lawrence: > > Mike West sounds on board > <https://twitter.com/mikewest/status/804381984457977856>; he'd made the > original > fix > <https://chromium.googlesource.com/chromium/src/+/68588b94a477621f608620ef8d36459c81e00e11> > which blocks <https://www.bayden.com/test/mime/script.asp> image/*. > > > On Thursday, July 6, 2017 at 10:48:32 AM UTC-7, Sathya Gunasekaran wrote: >> >> On Wed, Jul 5, 2017 at 7:56 PM, Zac Hansen <[email protected]> wrote: >> > Is this related, in any way, to >> > https://v8.paulfryzel.com/docs/master/classv8_1_1_module.html ? >> > >> > Will this documentation be updated as a part of this implementation, if >> > appropriate? >> > >> >> The relevant documentation is here: >> https://cs.chromium.org/chromium/src/v8/include/v8.h?l=6120&; >> rcl=b520c6ed5eadf29b950a0fc567a327b93c48c02d >> >> The tracking bug for V8 >> (https://bugs.chromium.org/p/v8/issues/detail?id=5785) has more >> information (including a design doc). >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To view this discussion on the web visit https://groups.google.com/a/ > chromium.org/d/msgid/blink-dev/bb097e57-c600-44ed-9901- > c8d04d01580a%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bb097e57-c600-44ed-9901-c8d04d01580a%40chromium.org?utm_medium=email&utm_source=footer> > . > -- -- v8-users mailing list [email protected] http://groups.google.com/group/v8-users --- You received this message because you are subscribed to the Google Groups "v8-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
