Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

can we disable or remap import for a realm? #191

Closed
caridy opened this issue Oct 17, 2019 · 1 comment
Closed

can we disable or remap import for a realm? #191

caridy opened this issue Oct 17, 2019 · 1 comment

Comments

@caridy
Copy link

caridy commented Oct 17, 2019
edited
Loading

One thing that we have struggle with is the ability to control code executing arbitrary imports. In the realms-shim (polyfill for realms proposal) we rely on a regexp (yes, yes, we know, bugs keep coming). Additionally, when sandboxing via iframes we also struggle to prevent arbitrary import(). Since this feature is part of the grammar, there is no way to disable it, it becomes more challenging than eval. We have debated a couple of options:

  1. CSP flag to signal to the host that import() should throw (this seems very bizarre and extreme)

  2. Use a generic import map to point to a module that throws for all import statements, or a subject of them. This is related to Sugary defaults: can we create a simple case for advanced ahead-of-time tools? #7

{
  "imports": {
    "*": "/throw.js"
  }
}

cc @jdalton
@domenic
Copy link
Collaborator

domenic commented Oct 17, 2019

This isn't in scope for import maps; controlling the execution of code on the web platform is best done via CSP.

@domenic domenic closed this as completed Oct 17, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@caridy @domenic