Issue 739820 link

Starred by 3 users

Issue metadata

Status:	WontFix
Owner:	----
Closed:	Sep 2017
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	2
Type:	Feature
Hotlist-Google

Implement an allow list for content types on script for import() and import statement

Project Member Reported by d...@google.com, Jul 6 2017

Issue description

As import() is just being implemented (https://groups.google.com/a/chromium.org/d/msg/blink-dev/wRLMM5-kpCY/Y0be_ASaAwAJ), we have a good opportunity to get more strict about content type validation.

It looks like the current behavior in Chrome is that specific media content types (png, etc.) will not be loaded as script, but other non-script types (at least application/octet-stream and text/plain) will load as script.

I'd like to propose that import() switch to an allow-list strategy. 
 Maybe it's not too late to do the same with the import statement as well.

Mike West reports that the implementation here is in the Fetch code.

Also, for reference:

Twitter thread: https://twitter.com/randomdross/status/883035368391561216

Comment 1 by d...@google.com, Jul 6 2017

Ahh, looks like this is already accounted for and we can close this bug.

References: 
https://jakearchibald.com/2017/es-modules-in-browsers/#mime-types
https://groups.google.com/a/chromium.org/d/msg/blink-dev/wRLMM5-kpCY/5CpvjH7YAwAJ

Project Member

Comment 2 by sheriffbot@chromium.org, Jul 11 2017

Labels: Hotlist-Google

Comment 3 by mkwst@chromium.org, Sep 15 2017

Status: WontFix (was: Untriaged)

►

Issue 739820 link

Issue metadata

Implement an allow list for content types on script for import() and import statement

Issue description

Comment 1 by d...@google.com, Jul 6 2017

Comment 1 Deleted

Comment 2 by sheriffbot@chromium.org, Jul 11 2017

Comment 2 Deleted

Comment 3 by mkwst@chromium.org, Sep 15 2017

Comment 3 Deleted

Sign in to add a comment