Normative: Prohibit module attributes as cache keys

[littledan]

This patch changes the invariants on hosts, requiring that module
attributes do not affect the interpretation of the module. Instead,
they may only be used for checks. This constraint may be relaxed
in the future, or willfully violated by hosts, but there would be
risk in doing so; an extensive note is added explaining this risk.

Addresses #64

[littledan]

cc @ljharb @devsnek @bmeck @jkrems

[bmeck]

double "of of"

[bmeck]

To be clear, this PR does not limit attributes from being used in resolution. I cannot see how we would ever limit such a thing in text if we provide the attribute prior to resolution. I think this is fine, but would still caution against doing things like modifying the Accepts: header which this PR still permits. I think this is fine though.

[devsnek]

if they won't change resolution, we can require that within a module, every occurance of a specifier has to have matching attributes.

[bmeck]

I could imagine that in the future you may want to have alternative resolution based upon module attributes such as some kind of noredirects or some such.

[littledan]

if they won't change resolution, we can require that within a module, every occurance of a specifier has to have matching attributes.

This patch allows hosts to do this. However, it also lets hosts do things like make with type: "json" optional on JSON modules (as you've also requested, and is in conflict). I think requiring that all attributes be the same is anti-compositional, and it's best to ensure that all the check attributes individually ensure the check is done.

[littledan]

To be clear, this PR does not limit attributes from being used in resolution.

Well, it prohibits the attributes from being used in the calculation of the cache key. But, on another read, this PR fails to prohibit hosts from the "race" case, where the attributes from the first time it's imported affect its interpretation, in a sticky way, which is ignored by future imports (or, those future imports get errors). I do want to prevent that case; sounds like we should iterate on the wording.

[littledan]

I've changed the wording a bit to make the "check" restriction more explicit. I think this would imply that attributes can't be used in resolution. (Also deleted the "of of".) Reviews welcome!

[jkrems]

LGTM!

[devsnek]

@littledan to clarify, i mean disallowing this within the same module/file:

import 'x.mjs' with type: 'json';
import 'x.mjs';

multiple modules can still compose together with different attributes

[littledan]

@devsnek I guess hosts would be allowed to make that restriction by keeping track of which attributes it got for which specifier+referrer pair. I don't understand the motivation for the restriction, but it's not prohibited by the spec.

[ljharb]

Thoughts?

[littledan]

Thanks @ljharb ; these seem like reasonable clarifications.

[ljharb]

What I'm trying to capture here is for a given attribute, it should either provide the same Module, or an error, whether the attribute is absent or present, and with any value in the attribute. Thoughts on this or alternative text?

Suggested change

	<ins>_moduleRequest_.[[Attributes]] must not influence the interpretation of the module or the module specifier; instead, it may be used to determine whether the algorithm completes normally or with an abrupt completion.</ins>
	<ins>_moduleRequest_.[[Attributes]] must not influence the interpretation of the module or the module specifier; instead, it may be used to determine whether the algorithm completes normally or with an abrupt completion. This applies to any individual attribute pair, as well as the overarching _moduleRequest_.[[Attributes]] group.</ins>

[jkrems]

I'm not sure I understand this addition. " moduleRequest.[[Specifier]] pair" mentions a single thing (the specifier) and then appends "pair". Was this meant as the list of pairs made up of the specifier and each attribute..? I sounds like "no combination of presence or absence of attributes" which seems like a more complicated framing of the original sentence (which already rules out [[Attributes]] being considered at all). Is there an example/loophole you had in mind here?

[ljharb]

The term is used 3 or 4 other times in this PR alone; it means to me "a single attribute name and value".

The intention is that each attribute is considered independently for this invariant - it may be true that it's not necessary to do so and the invariant is still preserved, but it feels closer to the underlying intention to me to be specific.

[jkrems]

I think the only place with pair I'm seeing is:

referencingScriptOrModule, moduleRequest.[[Specifier]] pair

Which is the pair of importer and specifier. Is that what you meant here? If it's about attribute name/value pairs, I assume it should reference _moduleRequest_.[[Attributes]], not _moduleRequest_.[[Specifier]].

[ljharb]

ohhh, thanks for clarifying. will fix the suggestion.

[littledan]

@jkrems @ljharb Were you happy with what ultimately landed, or does anything need to be changed?

[Jack-Works]

This disable the possibility that the http server return different file for the same path based on the attributes

[ljharb]

@Jack-Works yes, that is part of the intention.

[littledan]

This disable the possibility that the http server return different file for the same path based on the attributes

Yes, that's true. We could consider weakening this requirement during Stage 2, if we find that the header is required. The current plan of record does not include this header, but I'm open to it, based on the feedback we get from WHATWG.

[littledan]

I presented this PR to TC39, and it was part of the Stage 2 consensus, so landing it.