From 65ba9e0671ab9d3f6b35575ebcc4aaea4b059792 Mon Sep 17 00:00:00 2001 From: Steven Date: Sun, 1 Feb 2026 17:06:43 -0500 Subject: [PATCH] fix: add requirement of `Accept: */*` and `Sec-Fetch-Dest: bytes` --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b73c616..a5eed10 100644 --- a/README.md +++ b/README.md @@ -73,7 +73,7 @@ const bytes = Uint8Array.fromBase64("iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAw If a module import has an attribute with key `type` and value `bytes`, the host is required to either fail the import, or treat it as a Uint8Array backed by an immutable ArrayBuffer. The Uint8Array object is the default export of the module (which has no named exports). -In browser environments, this will be equivalent to `fetch()` such that `sec-fetch-dest` will be empty. The response `content-type` will be ignored. +In browser environments, the request will include headers `Accept: */*` and `Sec-Fetch-Dest: bytes`. The response `Content-Type` header will be ignored. In "local" desktop/server/embedded, this will be equivalent to a file read. The file extension will be ignored. @@ -167,7 +167,7 @@ See discussion in Issue https://github.com/styfle/proposal-import-bytes/issues/3 This proposal does not attempt to introduce a new phase like the [source](https://github.com/tc39/proposal-source-phase-imports) or [asset](https://github.com/tc39/proposal-asset-references) proposals. -A new phase would require a syntax change to JavaScript and cause `Sec-Fetch-Dest` to be script instead of empty. It also introduces security implications since importing arbitrary code could be malicious. +A new phase would require a syntax change to JavaScript and cause `Sec-Fetch-Dest: script` instead of `bytes`. It also introduces security implications since importing arbitrary code could be malicious. See discussion in Issue https://github.com/tc39/proposal-import-bytes/issues/16