From 04327ff264114749af45b71cf8a9b511aaada6f7 Mon Sep 17 00:00:00 2001 From: Joel Denning Date: Mon, 23 Sep 2024 13:07:41 -0600 Subject: [PATCH] Update changeset, add documentation --- .changeset/purple-hornets-kneel.md | 4 ++-- docs/configuration.md | 14 ++++++++++++++ docs/security.md | 1 + 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/.changeset/purple-hornets-kneel.md b/.changeset/purple-hornets-kneel.md index dd54f05..ab9faaa 100644 --- a/.changeset/purple-hornets-kneel.md +++ b/.changeset/purple-hornets-kneel.md @@ -1,5 +1,5 @@ --- -"import-map-overrides": patch +"import-map-overrides": major --- -Option to toggle overrides via query string. Disable this behavior by default. +Disable query string overrides, by default. Add support for `allow-query-param-override` attribute to `` element. diff --git a/docs/configuration.md b/docs/configuration.md index 2b673e3..60532f1 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -161,3 +161,17 @@ To configure domains, add a `` element content="allowlist:*.example.com,example-*.com" /> ``` + +## Query Parameter Overrides + +import-map-overrides has an opt-in feature that allows users to set overrides via the `imo` query parameter on the current page. When enabled, the `imo` query parameter value should be a URL-encoded import map. For example, an override map of `{"imports": {"module1": "/module1.js"}}` would be encoded via https://example.com?imo=%7B%22imports%22%3A%7B%22module1%22%3A%22%2Fmodule1.js%22%7D%7D + +To enable query parameter overrides, add the `allow-query-param-override` attribute to the `` element: + +```html + +``` diff --git a/docs/security.md b/docs/security.md index d16e257..ff59af2 100644 --- a/docs/security.md +++ b/docs/security.md @@ -8,6 +8,7 @@ However, there are things you can do to protect your users from self XSS. Consid 1. (**Most Important and Highly Recommended**) Configure your server to set a [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) HTTP header for your HTML file. In it, consider safelisting the domains that you trust. Doing so is important to protect your users from XSS and other attacks. 1. Consider removing import-map-overrides from your production application's HTML file, or [configuring a domain list](/docs/configuration.md#domain-list) that disables import map overrides in production. If you properly set a Content-Security-Policy header, this provides no extra security. However, if you have not configured CSP, this will at least make it a bit harder for the user to self XSS. My recommendation is to do CSP instead of this whenever possible. +1. Consider disabling query parameter overrides by removing the `allow-query-param-override` attribute on the `` element for import-map-overrides. See [query parameter overrides documentation](/docs/configuration.md#query-parameter-overrides). ## Node