Import attributes[^1] are a JavaScript feature to allow annotating import declarations, for example `import xxx from "mod" with { type: "json" }'. Chrome originally shipped a previous version of the proposal (in M91) using 'assert' as the keyword. This version has then been updated to use 'with' due to some changes needed while integrating it with HTML for JSON and CSS modules[^2]. [^1]: https://github.com/tc39/proposal-import-attributes/ [^2]: https://github.com/whatwg/html/issues/7233
Standards-track JSON ES modules were proposed to allow JavaScript modules to easily import JSON data files, similarly to how they are supported in many nonstandard JavaScript module systems. This idea quickly got broad support from web developers and browsers, and was merged into HTML, with an implementation for V8/Chromium created by Microsoft. However, security concerns were raised about privilege escalation that could occur when importing JSON modules and similar module types which cannot execute code. When a script imports something that it intends to be a JSON module, if the responding server unexpectedly provides a different MIME type then it could cause code to be unexpectedly executed. The solution was to somehow indicate that a module was JSON, or in general, not to be executed, somewhere in addition to the MIME type. Import Attributes provide the means for doing so. The proposal, initially called "Import Assertions" only allowed asserting existing properties of the loaded modules. It has not been updated to "Import Attributes", a more generic form of parameters for the modules loading process. Thus, they can now affect how JSON and CSS modules are fetched, making it possible to apply the relevant CSP rules and use the proper HTTP headers in the request.