Import Assertions

Import Assertions are an inline syntax for module import statements to pass on more information alongside the module specifier. The syntax is as follows (shown here is the proposed method for importing a JSON module): import json from "./foo.json" assert { type: "json" };

Motivation

Standards-track JSON ES modules were proposed to allow JavaScript modules to easily import JSON data files, similarly to how they are supported in many nonstandard JavaScript module systems. This idea quickly got broad support from web developers and browsers, and was merged into HTML, with an implementation for V8/Chromium created by Microsoft. However, security concerns were raised about privilege escalation that could occur when importing JSON modules and similar module types which cannot execute code. When a script imports something that it intends to be a JSON module, if the responding server unexpectedly provides a different MIME type then it could cause code to be unexpectedly executed. The solution was to somehow indicate that a module was JSON, or in general, not to be executed, somewhere in addition to the MIME type. Import Assertions provide the means for doing so. Proposed ES module types that are blocked by this security concern, in addition to JSON modules, include CSS modules and potentially HTML modules if the HTML module proposal is restricted to not allow script.

Specification

Editor's draft

Status in Chromium

Blink>HTML>Script


In development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Positive
  • Positive
  • Positive
  • Positive

Owner

Comments

See also: https://github.com/whatwg/html/pull/5658

Search tags

import assertions, import attributes, import conditions, JSON modules, CSS modules, HTML modules,

Last updated on 2020-09-25