Script tag extension: Per-Module Network Isolation

[ghost]

Context

Ongoing discussions are being made around the idea that Web Applications should be secure by default, and thus offline first.

That is, when distributed as downloadable Web Bundles, they should not have internet access by default, and network access should be granted based on user permissions. However, in order to not compromise the security of the application when allowing network access, developers should also be able to scope that access to specific parts of the application.

This is the goal of the present proposal of extending the script tag for per-module network isolation in the context of Web Applications.

Proposal

Similarly to Deno's permissions model, the allow-net attribute could be used to restrict network access to specific domain(s) on a per-module basis. In the following example, in the context of an offline first Web Application, the module index.js has gained network access only for the hosting domain https://application.com:

<script type="module" src="index.js" allow-net="https://application.com"></script>

Per-Module Network isolation would allow to better isolate the parts of the application that need internet access from the others, also enhancing the audit of the application by third-party controls.

Example

An offline application could only use network access for the login.js module, in order to log in a user, while the rest of the application would stay offline:

<script type="module" src="login.js" allow-net="https://login.application.com"></script>

[domenic]

Closing per whatwg/fetch#1209 (comment).