ES Modules: suggestions for improvement
jussi.kalliokoski at gmail.com
Wed Jun 27 11:34:29 PDT 2012
> "For security, the Loader object could be frozen with Object.freeze to
> prevent additional changes."
> => This is not enough. People shouldn't have to opt-in for security,
> mostly because they don't do it. I woud call for security by default here
> and having "import <path>" call the built-in Loader.resolve instead of the
> dynamic one.
> If people want to override the Loader API, they would have to forget about
> syntax. Or a new syntax could be introduced, making clear that it's
> dangerous. Maybe something like "importDyn".
Sorry to arrive late to the party, but I don't see the security issue here.
Is this about third party scripts being able to change what modules get
loaded, to inject a malicious script into a module path? Why would they do
that if they already have script access and can import the malicious stuff
themselves? Or is this something about leaking secrets?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the es-discuss