web-platform-tests/interop

Import Assertions

josepharhar opened this issue · 7 comments

This was split from #181

Description

https://chromestatus.com/feature/5765269513306112
Import Assertions are an inline syntax for module import statements to pass on more information alongside the module specifier.

Rationale

https://chromestatus.com/feature/5765269513306112
Standards-track JSON ES modules were proposed to allow JavaScript modules to easily import JSON data files, similarly to how they are supported in many nonstandard JavaScript module systems. This idea quickly got broad support from web developers and browsers, and was merged into HTML, with an implementation for V8/Chromium created by Microsoft.

However, security concerns were raised about privilege escalation that could occur when importing JSON modules and similar module types which cannot execute code. When a script imports something that it intends to be a JSON module, if the responding server unexpectedly provides a different MIME type then it could cause code to be unexpectedly executed. The solution was to somehow indicate that a module was JSON, or in general, not to be executed, somewhere in addition to the MIME type. Import Assertions provide the means for doing so.

Proposed ES module types that are blocked by this security concern, in addition to JSON modules, include CSS modules and potentially HTML modules if the HTML module proposal is restricted to not allow script.

Tests

https://wpt.fyi/results/html/semantics/scripting-1/the-script-element/import-assertions

Spec

https://tc39.es/proposal-import-assertions/

I'm concerned about whatwg/html#7233 still being unresolved. That seems like something that should be resolved. Perhaps it can be resolved as part of this effort, but we cannot get to the end with it being unresolved. (Or perhaps in that case we exclude all these tests.)

@josepharhar can you take a look at #236 (comment)? Today is the last day to refine proposals.

In the MDN short survey on APIs & JavaScript, "Web Components (custom elements, Shadow DOM, etc.)" was the most popular choice by a fairly wide margin, selected by ~39% of survey takers.

Web Components was split into many granular proposals, and the survey results don't tell us which aspects web developers want the most, but it's fair to say that something about Web Components is important. (I'm posting this comment on each of the split proposals.)

AIUI: Import Assertions has now moved down to Stage 2 (from Stage 3).

Putting this on the agenda to discuss. This is included in the Modules focus area, but we left this issue open at launch because the TC39 discussion was happening at the same time.

Hi @josepharhar!

You may have noticed that we announced Interop 2023 and posted comments on all proposals on Feb 1, but this one was left in limbo.

What happened is that we had decided to include this in the Modules focus area, but around the time of launch the feature there was a discussion in the TC39 resulting in tc39/proposal-import-attributes#129, moving the feature from stage 3 to stage 2. It has to do with whatwg/html#7233, although I'm not personally familiar with the details.

You can see the interop team's discussion in #278. It's not that stage 2 features aren't eligible (see proposal template) but comes down to what we're all happy to include, and there's now uncertainty about what the spec is going to end up looking like here.

We also have agreement to revisit including it in Interop 2023 if things change later in the year, that is if it goes back to stage 3.

I'll close this issue now, but if things change please comment here and we'll put it on the agenda to discuss.