Skip to content

Instantly share code, notes, and snippets.

@dherman

dherman/module-cors-policy.md

Last active January 31, 2017 16:49
Show Gist options
  • Save dherman/1e3758578f07508fda0982e0678346cf to your computer and use it in GitHub Desktop.
Save dherman/1e3758578f07508fda0982e0678346cf to your computer and use it in GitHub Desktop.
Download ZIP
proposed cors policy for modules
Raw
module-cors-policy.md

Proposed CORS Policy for Modules

Module MIME types are strict

If a module script receives a non-JS MIME type, it doesn't execute.

Modules are anonymous

Module scripts default to the anonymous CORS attribute.

Modules cannot be credentialed

The crossorigin attribute is not allowed/respected for module scripts.

There is no syntax in JavaScript for propagating CORS attributes.

Applications that wish to authenticate modules can do so with fetch and ServiceWorker, but must take care to censor secrets from function bodies. It is recommended practice that unencrypted secrets should not be kept in source code but in separate files.

Cross-origin modules are executable

Option 1: Anonymous JS is public

Change to the HTML fetch semantics: if (a) a request is anonymous and (b) its response has a JS MIME type, then the response is non-opaque.

Option 2: Modules are executable

When a module script's response is opaque, it still executes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment