Given the question in the title is asked on the Caja mailing-list, I
can be found on the web.
And the answer is no.
The ECMAScript spec defines the syntax, but leaves the loading
semantics off of the ECMAScript spec itself.
To the best of my knowledge, the latest state of web browser
agreement regarding how a browser will load a module is defined at
(but only implemented behind flags
Even if the spec is still in flux, I doubt browsers will ever give
access to the file system directly, so no worries there.
Then there is the question of the loading semantics of "import" in
the Node.js runtime. That's a different story, with complicated
I think the latest news on that front can be read at :
Also, follow https://twitter.com/nodemjs
for news about this.
In any case, in Node, the loader will most certainly give ambiant
authority to the file system, but that's not more than what the
current loader ("require" function of CommonJS modules) provides.
As MarkM mentionned, there are plans to be hooks to intercept
resolution of modules. These obviously won't increase authority on
the web, but may help decreasing authority for the Node.js loader
(which I'm looking forward to).
Hope that helps,