During #TC39 73 I’ve learned about ES Modules Attributes being proposed to address security concerns when importing JSON modules: ES Module Attributes. Filing this design issue for the TAG to more broadly consider various web-based cross-domain import mechanisms like HTML Modules (334), CSS Modules (405), and ES Modules. Specifically I request the TAG analyze and provide clarity on the exact security model or models and hopefully some degree of consistency and explicit architectural design across these mechanisms.
See the following related issues and efforts:
- webcomponents: HTML, CSS, and JSON modules shouldn't solely rely on MIME type to change parsing behavior #839
- Dynamic Import Host Adjustment presentation Dec 2019 (Explainer)
From a web author, developer, publisher perspective, a more consistent and understandable security model across these would help with easier understanding and better chance of conveying author intent. Thanks for your consideration!