How to bless asset references

[mikesamuel]

The TC39 asset reference +(@bmeck @sebmarkbage) separates information about modules from loading of modules.

Ir provides new syntax for [static asset references]:

asset Foo from "foo";
// Now the name Foo is an asset reference object which can be passed to import(...)

and API for dynamic asset references:

let assetReference = import.resolve("./foo" + fileExtension);

---

It would be nice if Trusted Types could recognize that

• the "module-reference" in asset Name from "module-reference" is in the same protection domain as import * from "module-reference" when guarding dynamic import.
• provide a policy function to bless at least one of
  • a dynamic asset reference
  • its underlying module specifier (perhaps before being passed to import.resolve.

---

import.resolve does not AFAICT, do any security work. No fetching happens. So it seems that import.resolve is not a sink.

[bmeck]

I'd note that import.resolve would expose potential resolutions that might be prevented in other contexts.

// name: privileged
// file allowed to resolve 'secret'
export function resolve(foo) {
  return import.resolve(foo);
}

// not allowed to obtain trusted resolution for 'secret'
import resolve from 'privileged';
resolve('secret');

This kind of pattern of delegated importing is used by ecosystem APIs like React.lazy