Update changeset, add documentation

single-spa · Sep 23, 2024 · 04327ff · 04327ff
1 parent 14d944c
commit 04327ff
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 2 deletions.
diff --git a/.changeset/purple-hornets-kneel.md b/.changeset/purple-hornets-kneel.md
@@ -1,5 +1,5 @@
 ---
-"import-map-overrides": patch
+"import-map-overrides": major
 ---
 
-Option to toggle overrides via query string. Disable this behavior by default.
+Disable query string overrides, by default. Add support for `allow-query-param-override` attribute to `<meta>` element.
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -161,3 +161,17 @@ To configure domains, add a `<meta name="import-map-overrides-domains">` element
   content="allowlist:*.example.com,example-*.com"
 />
 ```
+
+## Query Parameter Overrides
+
+import-map-overrides has an opt-in feature that allows users to set overrides via the `imo` query parameter on the current page. When enabled, the `imo` query parameter value should be a URL-encoded import map. For example, an override map of `{"imports": {"module1": "/module1.js"}}` would be encoded via https://example.com?imo=%7B%22imports%22%3A%7B%22module1%22%3A%22%2Fmodule1.js%22%7D%7D
+
+To enable query parameter overrides, add the `allow-query-param-override` attribute to the `<meta name="importmap-type">` element:
+
+```html
+<meta
+  name="importmap-type"
+  content="systemjs-importmap"
+  allow-query-param-override
+/>
+```
diff --git a/docs/security.md b/docs/security.md
@@ -8,6 +8,7 @@ However, there are things you can do to protect your users from self XSS. Consid
 
 1. (**Most Important and Highly Recommended**) Configure your server to set a [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) HTTP header for your HTML file. In it, consider safelisting the domains that you trust. Doing so is important to protect your users from XSS and other attacks.
 1. Consider removing import-map-overrides from your production application's HTML file, or [configuring a domain list](/docs/configuration.md#domain-list) that disables import map overrides in production. If you properly set a Content-Security-Policy header, this provides no extra security. However, if you have not configured CSP, this will at least make it a bit harder for the user to self XSS. My recommendation is to do CSP instead of this whenever possible.
+1. Consider disabling query parameter overrides by removing the `allow-query-param-override` attribute on the `<meta>` element for import-map-overrides. See [query parameter overrides documentation](/docs/configuration.md#query-parameter-overrides).
 
 ## Node
-Original file line number
+Diff line change
@@ Expand Up @@
 . (**Most Important and Highly Recommended**) Configure your server to set a [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) HTTP header for your HTML file. In it, consider safelisting the domains that you trust. Doing so is important to protect your users from XSS and other attacks.
 . Consider removing import-map-overrides from your production application's HTML file, or [configuring a domain list](/docs/configuration.md#domain-list) that disables import map overrides in production. If you properly set a Content-Security-Policy header, this provides no extra security. However, if you have not configured CSP, this will at least make it a bit harder for the user to self XSS. My recommendation is to do CSP instead of this whenever possible.
+. Consider disabling query parameter overrides by removing the `allow-query-param-override` attribute on the `<meta>` element for import-map-overrides. See [query parameter overrides documentation](/docs/configuration.md#query-parameter-overrides).
     ## Node
@@ Expand Down @@