Given the question in the title is asked on the Caja mailing-list, I
assume the question is asked specifically about the JavaScript that
can be found on the web.
And the answer is no.
The ECMAScript spec defines the syntax, but leaves the loading
semantics off of the ECMAScript spec itself.
To the best of my knowledge, the latest state of web browser
agreement regarding how a browser will load a module is defined at
https://whatwg.github.io/loader/ (but only implemented behind flags
in browsers).
Even if the spec is still in flux, I doubt browsers will ever give
access to the file system directly, so no worries there.
Then there is the question of the loading semantics of "import" in
the Node.js runtime. That's a different story, with complicated
ramifications.
I think the latest news on that front can be read at :
https://medium.com/the-node-js-collection/an-update-on-es6-modules-in-node-js-42c958b890c
Also, follow
https://twitter.com/nodemjs and
https://twitter.com/jasnell for news about this.
In any case, in Node, the loader will most certainly give ambiant
authority to the file system, but that's not more than what the
current loader ("require" function of CommonJS modules) provides.
As MarkM mentionned, there are plans to be hooks to intercept
resolution of modules. These obviously won't increase authority on
the web, but may help decreasing authority for the Node.js loader
(which I'm looking forward to).
Hope that helps,
David