Import Assertions are an inline syntax for module import statements to pass on more information alongside the module specifier. The syntax is as follows (shown here is the proposed method for importing a JSON module): import json from "./foo.json" assert { type: "json" };

Motivation

Standards-track JSON ES modules were proposed to allow JavaScript modules to easily import JSON data files, similarly to how they are supported in many nonstandard JavaScript module systems. This idea quickly got broad support from web developers and browsers, and was merged into HTML, with an implementation for V8/Chromium created by Microsoft. However, security concerns were raised about privilege escalation that could occur when importing JSON modules and similar module types which cannot execute code. When a script imports something that it intends to be a JSON module, if the responding server unexpectedly provides a different MIME type then it could cause code to be unexpectedly executed. The solution was to somehow indicate that a module was JSON, or in general, not to be executed, somewhere in addition to the MIME type. Import Assertions provide the means for doing so. Proposed ES module types that are blocked by this security concern, in addition to JSON modules, include CSS modules and potentially HTML modules if the HTML module proposal is restricted to not allow script.

Status in Chromium


Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Intent to Prototype url

Intent to Prototype thread

Comments

See also: https://github.com/whatwg/html/pull/5658

Last updated on 2021-07-19