Intent to Implement: JSON Modules
Contact emails
dan...@microsoft.com, sase...@microsoft.com, tra...@microsoft.com, pc...@microsoft.com, gw...@microsoft.com, litt...@igalia.com, ms2...@igalia.com
Design doc/Spec
The Synthetic Modules Design Doc describes how JSON modules will be implemented using Synthetic Modules. See in particular the Blink Changes section.
JSON modules is already part of the HTML spec; see https://html.spec.whatwg.org/#json-module-script
TAG has approved the feature: https://github.com/w3ctag/design-reviews/issues/375
Summary
JSON modules are another type of module script alongside JavaScript module script.  JSON module scripts are fetched in the same way as JavaScript module
scripts, e.g. with the "cors" mode and using strict MIME type checking.  They share the same module import syntax, e.g.
import data from "./resource.json".  
The JSON object parsed from the fetched file is provided as the module's single default export, with parse errors checked before instantiating the module graph.
Motivation
There is not currently a way for developers to statically import JSON content as part of module graph instantiation. Currently developers are forced to consume JSON content dynamically through e.g. fetch().
See GitHub thread here for extensive discussion and many comments indicating support: https://github.com/whatwg/html/issues/4315.
The StackOverflow thread here also contains comments highlighting the lack of this feature in ES6: https://stackoverflow.com/questions/34944099/how-to-import-a-json-file-in-ecmascript-6
Risks
Interoperability and Compatibility
Given that this feature is part of the HTML spec and has indications of support expressed by multiple browser vendors, we do not expect long-term interoperability or compatibility issues.
Edge: Public support; Microsoft is driving the Blink implementation: https://github.com/whatwg/html/issues/4315#issuecomment-489799200
Firefox: Public support: https://github.com/whatwg/html/issues/4315#issuecomment-489537002
Safari: No signals
Web / Framework developers: Quite positive. litt...@igalia.com and ms2...@igalia.com drove the spec work, and there were many expressions of support in #4315. There were some requests in that thread to expand the feature to support named exports, but the due to the complexity and ambiguity involved this was not included.
Ergonomics
We expect the feature to be commonly used in tandem with JavaScript modules (and potentially other module types yet to come).
The feature will be built on Synthetic Modules as part of the existing module graph infrastructure so we don't expect any new performance issues.
Activation
Since the feature shares the existing modules syntax and infrastructure we expect that developers already familiar with ES6 modules will have very little difficulty learning and taking advantage of the feature.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
Link to entry on the feature dashboard
TBD
Requesting approval to ship?
No
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/BN8PR00MB062883D413AAB266CFA2B269C5F30%40BN8PR00MB0628.namprd00.prod.outlook.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPVAxLVwEuAFyO_bpcdKhfWA4vRrPD0zaD9YdbfZrhceLkN7NA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACj%3DBEi94yOcD-wXA1XkJpmy8QTmTF7HkxysSXftUQJLZnahuw%40mail.gmail.com.
Intent to Implement: JSON Modules
Contact emails
Design doc/Spec
The Synthetic Modules Design Doc describes how JSON modules will be implemented using Synthetic Modules. See in particular the Blink Changes section.
JSON modules is already part of the HTML spec; see https://html.spec.whatwg.org/#json-module-script
TAG has approved the feature: https://github.com/w3ctag/design-reviews/issues/375
Thanks for the feedback so far! Answers to the questions that came up follow below:
Yoav Weiss:
> Will this play nicely with current module infrastructure, e.g. modulepreload?
Yes – the feature is built as part of the current module system and will integrate with all the existing infrastructure such as modulepreload, It’s just another module variant in the same module graph.
J Decker:
> I see benefit; though I'm not sure the cost of module overhead on a JSON.parse() result is really worth it; and it's only for static content...
> but mostly it's only JSON. what about other, user extensions? (.json5, .json6, .hjson ) can we register module loaders?
As a first-class participant in the ES module system, JSON modules can also be consumed non-statically with dynamic import.
We don’t plan to incorporate user extensions as part of this proposal -- our current focus is on further extending the native module infrastructure with JSON, CSS modules and eventually HTML Modules. However, Synthetic Modules would be a great building block for a future proposal for user extensions (as it was for JSON modules).
Artur Janc:
> I've been trying to understand the security delta of this feature, but I haven't this discussed in any of the design docs linked above. Is there an explainer that would cover it? (The design doc seems fairly low level and doesn't make it obvious what the security consequences are.)
> More specifically, being able to import JSON cross-origin can be dangerous because it could create new XSSI vectors. Is the idea to require CORS as the main protection?
This feature builds on the current JavaScript module infrastructure and thus inherits all of its security characteristics. Specifically, JSON modules have the same behavior as JavaScript modules with respect to protection again cross-origin loading by requiring CORS, as well as enforcing strict MIME-type checking. If there is any particular kind of documentation or further info in this area that I can provide then I'm happy to do so; we just didn't see value in a separate writeup here given that JSON modules follow the same tried-and-tested security model of JS modules. If there's any particular threat beyond those already mentioned that you think we should investigate, please let me know and we'll take a look.
Thanks for the feedback so far! Answers to the questions that came up follow below:
Yoav Weiss:
> Will this play nicely with current module infrastructure, e.g. modulepreload?
Yes – the feature is built as part of the current module system and will integrate with all the existing infrastructure such as modulepreload, It’s just another module variant in the same module graph.
J Decker:
> I see benefit; though I'm not sure the cost of module overhead on a JSON.parse() result is really worth it; and it's only for static content...
> but mostly it's only JSON. what about other, user extensions? (.json5, .json6, .hjson ) can we register module loaders?
As a first-class participant in the ES module system, JSON modules can also be consumed non-statically with dynamic import.
We don’t plan to incorporate user extensions as part of this proposal -- our current focus is on further extending the native module infrastructure with JSON, CSS modules and eventually HTML Modules. However, Synthetic Modules would be a great building block for a future proposal for user extensions (as it was for JSON modules).
Artur Janc:
> I've been trying to understand the security delta of this feature, but I haven't this discussed in any of the design docs linked above. Is there an explainer that would cover it? (The design doc seems fairly low level and doesn't make it obvious what the security consequences are.)
> More specifically, being able to import JSON cross-origin can be dangerous because it could create new XSSI vectors. Is the idea to require CORS as the main protection?
This feature builds on the current JavaScript module infrastructure and thus inherits all of its security characteristics. Specifically, JSON modules have the same behavior as JavaScript modules with respect to protection again cross-origin loading by requiring CORS, as well as enforcing strict MIME-type checking. If there is any particular kind of documentation or further info in this area that I can provide then I'm happy to do so; we just didn't see value in a separate writeup here given that JSON modules follow the same tried-and-tested security model of JS modules. If there's any particular threat beyond those already mentioned that you think we should investigate, please let me know and we'll take a look.
On Monday, July 15, 2019 at 5:23:50 AM UTC-7, Artur Janc wrote:
On Thursday, July 11, 2019 at 11:04:51 PM UTC+2, Daniel Clark wrote:
Intent to Implement: JSON Modules
Contact emails
--
You received this message because you are subscribed to a topic in the Google Groups "blink-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/blink-dev/ojwkySW-bpQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/45b44f01-be53-49a7-ac73-f3c19cb639bf%40chromium.org.
On Tue, Jul 16, 2019 at 11:57 PM daniec via blink-dev <blin...@chromium.org> wrote:Thanks for the feedback so far! Answers to the questions that came up follow below:
Yoav Weiss:
> Will this play nicely with current module infrastructure, e.g. modulepreload?
Yes – the feature is built as part of the current module system and will integrate with all the existing infrastructure such as modulepreload, It’s just another module variant in the same module graph.
J Decker:
> I see benefit; though I'm not sure the cost of module overhead on a JSON.parse() result is really worth it; and it's only for static content...
> but mostly it's only JSON. what about other, user extensions? (.json5, .json6, .hjson ) can we register module loaders?
As a first-class participant in the ES module system, JSON modules can also be consumed non-statically with dynamic import.
We don’t plan to incorporate user extensions as part of this proposal -- our current focus is on further extending the native module infrastructure with JSON, CSS modules and eventually HTML Modules. However, Synthetic Modules would be a great building block for a future proposal for user extensions (as it was for JSON modules).
Artur Janc:
> I've been trying to understand the security delta of this feature, but I haven't this discussed in any of the design docs linked above. Is there an explainer that would cover it? (The design doc seems fairly low level and doesn't make it obvious what the security consequences are.)
> More specifically, being able to import JSON cross-origin can be dangerous because it could create new XSSI vectors. Is the idea to require CORS as the main protection?
This feature builds on the current JavaScript module infrastructure and thus inherits all of its security characteristics. Specifically, JSON modules have the same behavior as JavaScript modules with respect to protection again cross-origin loading by requiring CORS, as well as enforcing strict MIME-type checking. If there is any particular kind of documentation or further info in this area that I can provide then I'm happy to do so; we just didn't see value in a separate writeup here given that JSON modules follow the same tried-and-tested security model of JS modules. If there's any particular threat beyond those already mentioned that you think we should investigate, please let me know and we'll take a look.
There is an important distinction between HTTP responses which parse as JavaScript and those which parse as JSON. JavaScript resources can be directly loaded cross-origin in `no-cors` mode (via <script src="//victim/resource.js">) and thus developers already have to be careful to not include any authenticated data in responses which parse as JS. This is not the case for JSON because there is no web API that allows no-cors loads of JSON replies (including them as a <script> will result in a SyntaxError);
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPYVjqpVJNbPEGyMV%3DQaqUTyrGBqfa51ei2FAE8b8%3DpqHwvhJQ%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADizRgb7fmU%2BDa%3DPovfk3L1%2B_ebYnX_WrYbHnrfKdaYj9YYFuQ%40mail.gmail.com.
To unsubscribe from this group and all its topics, send an email to blin...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/45b44f01-be53-49a7-ac73-f3c19cb639bf%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blin...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPYVjqpVJNbPEGyMV%3DQaqUTyrGBqfa51ei2FAE8b8%3DpqHwvhJQ%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blin...@chromium.org.
I added a section to the design document stating generally that opening the module system to more resource types implies that we must be more careful with changes involving the module infrastructure overall, as resource types other than JavaScript can now be affected. I've used the JSON case as an example. https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/master/SyntheticModules/designDoc.md#security-considerations-for-new-module-typesThanks for raising the issue -- while I don't expect to ever see a 'no-cors' version of modules gain much support, it's definitely worth noting that adding more module types widens the scope of any change to the module system.
To unsubscribe from this group and all its topics, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/ecdb12ab-fa31-4ef3-bee3-aa993e3437e2%40chromium.org.
Link to entry on the feature dashboard
TBD