Restructure import assertions description to ease maintainability #42309
Conversation
github-actions
bot
added
Content:JS
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
files/en-us/web/javascript/reference/statements/import/with/index.md
Outdated
Show resolved
Hide resolved
|
Preview URLs External URLs (2)URL:
(comment last updated: 2026-01-06 00:36:06) |
files/en-us/web/javascript/reference/statements/import/with/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/javascript/reference/statements/import/with/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/javascript/reference/statements/import/with/index.md
Outdated
Show resolved
Hide resolved
| ``` | ||
|
|
||
| Modules are identified and parsed only according to their served [MIME type](/en-US/docs/Web/HTTP/Guides/MIME_types) — the file extension in the URL cannot be used to identify a file's type. In this case, the MIME type is `application/json`, which tells the browser that the file is JSON and must be parsed as JSON. If, for some reason (e.g., the server is hijacked or bogus), the MIME type in the server response is set to `text/javascript` (for JavaScript source), then the file would be parsed and executed as code. If the "JSON" file actually contains malicious code, the `import` declaration would unintentionally execute external code, posing a serious security threat. | ||
| Modules are identified and parsed only according to their served [media type (MIME type)](/en-US/docs/Web/HTTP/Guides/MIME_types) — the file extension in the URL cannot be used to identify a file's type. In this case, the MIME type is `application/json`, which tells the browser that the file is JSON and must be parsed as JSON. If, for some reason (e.g., the server is hijacked or bogus), the MIME type in the server response is set to `text/javascript` (for JavaScript source), then the file would be parsed and executed as code. If the "JSON" file actually contains malicious code, the `import` declaration would unintentionally execute external code, posing a serious security threat. |
There was a problem hiding this comment.
For my education, because Brian has made the same comment: why is "MIME type" not in fashion anymore?
There was a problem hiding this comment.
The IANA decided they didn't like MIME, AIUI because the "E" is for email - and media types are used much more widely. They own the list of media types, and decided that henceforth we'll use this term.
FWIW I don't like it because media type is a much more general term that could mean anything, not just the registered types formerly known as MIME. Hence the clarification on first use.
files/en-us/web/javascript/reference/statements/import/with/index.md
Outdated
Show resolved
Hide resolved
| Import attributes fix this problem by allowing the author to explicitly specify how a module should be validated. | ||
| When using import attributes the code above would be written as shown below, and would fail if the file was served with any media type other than `application/json`: |
There was a problem hiding this comment.
This flows a bit weirder than before IMO. The intended logic was: browsers always have strict MIME validation, and the import above failed validation > MIME validation is done via the type key (implying that other keys can exist for other purposes) > JSON modules correspond to type: "json" > then the example.
There was a problem hiding this comment.
Thanks. I've attempted to more closely match your intent in 3300ed0
files/en-us/web/javascript/reference/statements/import/with/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/javascript/reference/statements/import/with/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/javascript/reference/statements/import/with/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/javascript/reference/statements/import/with/index.md
Outdated
Show resolved
Hide resolved
hamishwillee
force-pushed
the
import_assertions_restructure_description
branch
2 times, most recently
from
d5ca233 to
22d5fd8
Compare
|
@Josh-Cena Did the updates address your concerns? |
|
Sorry, was extremely busy. I'll look later this week. |
files/en-us/web/javascript/reference/statements/import/with/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/javascript/reference/statements/import/with/index.md
Outdated
Show resolved
Hide resolved
Co-authored-by: Joshua Chen <sidachen2003@gmail.com>
…dex.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
hamishwillee
force-pushed
the
import_assertions_restructure_description
branch
from
e21aa17 to
d3f2c73
Compare
pepelsbey
left a comment
pepelsbey
left a comment
There was a problem hiding this comment.
Thank you, everyone! Looks good to me from the editorial perspective. I’m going to merge it for the 147 release. Feel free to make additional changes in a separate PR.
3 participants
As discussed in #42306 (comment) the description of import assertions does not provide an easy way to link to particular parts of the concepts, such as a definition of CSS Modules imported using
with { type: "css"}.This restructures the existing material to provide some headings. Should allow clean linking to the doc, easier parsing for readers, and maintenance if we later add other module types.
@Josh-Cena Obviously "for discussion and iteration". It is almost all a restructure, with only a tiny amount of new content, which I will highlight.
Related docs work being done in #42255