Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Load JS modules for web components as-needed [BREAKING CHANGE] #723

Merged
merged 2 commits into from
Aug 4, 2024
Merged

Load JS modules for web components as-needed [BREAKING CHANGE] #723

merged 2 commits into from
Aug 4, 2024

Conversation

wwwillchen
Copy link
Collaborator

@wwwillchen wwwillchen commented Aug 3, 2024
edited
Loading

I discovered an issue with the way we're loading JS modules for web components where all the pages of the app will try to load the JS modules. This leads to either: a) unnecessarily loading JS modules or b) getting spammed with CSP errors because the other pages (which don't load the web component) will probably not have the right security policy (CSP) configuration. b) was happening on our own demo site.

This loads JS modules dynamically when a web component is called in a render loop. Note: JS module imports should be de-duped so re-importing the same module returns the same instance and is basically instant.

Breaking change: This PR introduces a breaking change for Mesop app developers using web components. You may need to add sites to: Security_Policy(allowed_script_srcs=[..]

Because web components are still in labs, I think it's OK to make this breaking change. I will also have a follow-up PR (#724) to make it easier to fix CSP errors.

Background: Based on w3c/webappsec#544, it sounds like when you load a module via <script src="foo.js" type="module" nonce="...">, then the modules statically imported by foo.js are covered by the nonce.

@wwwillchen wwwillchen force-pushed the load_js_modules_right branch from c69cb1f to a1bb72b Compare August 3, 2024 06:23
@wwwillchen wwwillchen mentioned this pull request Aug 3, 2024
Merged
@wwwillchen wwwillchen requested a review from richard-to August 3, 2024 07:25
richard-to
richard-to approved these changes Aug 3, 2024
View reviewed changes
Copy link
Collaborator

@richard-to richard-to left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah great catch.

@wwwillchen wwwillchen merged commit b09a0a1 into google:main Aug 4, 2024
2 checks passed
@wwwillchen wwwillchen deleted the load_js_modules_right branch August 4, 2024 04:00
@wwwillchen wwwillchen mentioned this pull request Aug 5, 2024
Merged
wwwillchen added a commit that referenced this pull request Aug 5, 2024
@wwwillchen
Bump to v0.11.0 (#741)
ae0df59 
* bump to v0.11.0rc0
* bump to v0.11.0
* Update smoketest app with security policy (see: #723)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@richard-to richard-to richard-to approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wwwillchen @richard-to