The following document contains answers to the Self-Review Security and Privacy Questionnaire.
No
No
3.3. Does this specification introduce new state for an origin that persists across browsing sessions?
No
No
3.5. Does this specification expose any other data to an origin that it doesn’t currently have access to?
No
The specification makes JavaScript's import statement more powerful in that it can now be used to load HTML files, which can themselves contain inline scripts and import additional scripts and HTML. However the purpose of import was already to load and execute script so this is not really introducing a new vector for doing so.
No
No
3.9. Does this specification allow an origin access to aspects of a user’s local computing environment?
No
No
3.11. Does this specification allow an origin some measure of control over a user agent’s native UI?
No
No
No
No difference.
No
3.16. Does this specification have a "Security Considerations" and "Privacy Considerations" section?
The complete specification of this feature is still pending. We expect that the relevant parts of this document will be present in the final version of the spec.
HTML Modules support and require CORS headers in the same manner as ES6 script modules per their definition in the ES6 and HTML specifications.