Prevent page or web component from being registered after traffic has been served

[wwwillchen]

We want to avoid an anti-pattern where Mesop app developers are defining a page or web component dynamically after any traffic has been served (page and web components are registered globally as part of the runtime singleton, and are not scoped to a specific context/request).

For example, we want to prevent the following:

@me.page()
def p():
   s = me.state(State)

  @me.page(security_policy=me.SecurityPolicy(allowed_frame_parents=[s.user_input]))
  def dynamic_page():
     pass

[richard-to]

Interesting.

What is security issue with the late registration?

It's ok to late register user defined components? What is the difference?

[wwwillchen]

Interesting.

What is security issue with the late registration?

It's ok to late register user defined components? What is the difference?

The issue with late registration for web components is that it could result in a user loading a local JS file (which the mesop app developer didn't intend to serve).

I can't think of a specific issue with late-registering user defined components, but it seems pretty weird to do this, so I'm open to prohibiting it too (mostly for consistency and encouraging good practices).