search

WICG / import-maps

How to control the behavior of JavaScript imports
https://html.spec.whatwg.org/multipage/webappapis.html#import-maps
Other
2.68k stars 69 forks source link

can we disable or remap `import` for a realm? #191

Closed caridy closed 4 years ago

caridy commented 4 years ago

One thing that we have struggle with is the ability to control code executing arbitrary imports. In the realms-shim (polyfill for realms proposal) we rely on a regexp (yes, yes, we know, bugs keep coming). Additionally, when sandboxing via iframes we also struggle to prevent arbitrary import(). Since this feature is part of the grammar, there is no way to disable it, it becomes more challenging than eval. We have debated a couple of options:

  1. CSP flag to signal to the host that import() should throw (this seems very bizarre and extreme)

  2. Use a generic import map to point to a module that throws for all import statements, or a subject of them. This is related to https://github.com/WICG/import-maps/issues/7

{
  "imports": {
    "*": "/throw.js"
  }
}

cc @jdalton

domenic commented 4 years ago

This isn't in scope for import maps; controlling the execution of code on the web platform is best done via CSP.