es-module-shims 2.6.2 → 2.8.0

package/README.md

@@ -31,7 +31,7 @@ Because we are still using the native module loader the edge cases work out comp
 Include ES Module Shims with a `async` attribute on the script, then include an import map and module scripts normally:
 
 ```html
-<script async src="https://ga.jspm.io/npm:es-module-shims@2.6.2/dist/es-module-shims.js"></script>
+<script async src="https://ga.jspm.io/npm:es-module-shims@2.8.0/dist/es-module-shims.js"></script>
 
 <!-- https://generator.jspm.io/#U2NhYGBkDM0rySzJSU1hKEpNTC5xMLTQM9Az0C1K1jMAAKFS5w0gAA -->
 <script type="importmap">
@@ -397,6 +397,20 @@ const importMap = { imports: {/*...*/}, scopes: {/*...*/} };
 importShim.addImportMap(importMap);
 ```
 
+### Module Scripts
+
+All module scripts except those with a `noshim` attribute are polyfilled. We support all of the the `defer`, `integrity`, `referrerPolicy`, `fetchPriority` and `crossOrigin` script attribute behaviours when polyfilling.
+
+In addition to static module scripts, we also use mutation observers to automatically detect and apply dynamic polyfilling for scripts injected into the head of the page:
+
+```js
+document.head.appendChild(Object.assign(document.createElement('script'), {
+  innerHTML: `import 'maybe-polyfill-dep'; console.log('loaded');`,
+}));
+```
+
+The same attributes as static scripts are also supported.
+
 ### Shim Import
 
 Dynamic `import(...)` within any modules loaded will be rewritten as `importShim(...)` automatically providing full support for all es-module-shims features through dynamic import.
@@ -455,6 +469,17 @@ import pkg from 'pkg';
 </script>
 ```
 
+## Trusted Types Support
+
+ES Module Shims supports [Trusted Types](https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API) a browser security feature that prevents DOM-based XSS attacks. When your CSP includes `require-trusted-types-for 'script'`, the library automatically creates a policy named `es-module-shims` to handle its internal script creation and source rewriting. Browsers without Trusted Types support fall back to standard behavior automatically.
+
+To enable it, add `es-module-shims` to your CSP's trusted-types directive. If you see errors about "TrustedScript assignment," you're missing this directive.
+
+```html
+<meta http-equiv="Content-Security-Policy" 
+      content="require-trusted-types-for 'script'; trusted-types es-module-shims;">
+```
+
 #### Wasm Build
 
 To use the Web Assembly / non-CSP build of ES Module Shims, this is available as a self-contained single file at `es-module-shims/wasm` or `es-module-shims/dist/es-module-shims.wasm.js` in the package folder.
@@ -781,7 +806,7 @@ For example, if lazy loading `<script type="module-shim">` scripts alongside sta
 
 DOM `load` events are fired for all `"module-shim"` scripts both for success and failure just like for native module scripts.
 
-### Pollyfill Enable Option
+### Polyfill Enable Option
 
 The `polyfillEnable` option allows enabling polyfill features which are newer and would otherwise result in unnecessary polyfilling in modern browsers that haven't yet updated.
 
@@ -799,7 +824,7 @@ In adddition, the `"all"` option will enable all features.
 
 The reason the `polyfillEnable` option is needed is because ES Module Shims implements a performance optimization where if a browser supports modern modules features to an expected baseline of import maps support, it will skip all polyfill source analysis resulting in full native passthrough performance.
 
-### Pollyfill Disable Option
+### Polyfill Disable Option
 
 Conversely to `polyfillEnable` it can be beneficial to dissable unused features where excluding those features from the baseline allows avoiding unnecessary feature detections or unnecessary analysis of module graphs.