-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrity proposal #221
Comments
I've added an integrity proposal to the import maps extensions repo, which currently is an aim to try and capture the spill-over on discussions not currently happening here - https://github.com/guybedford/import-maps-extensions#integrity. |
Right the web platform already has SRI and the capability to add them to imports, this would solve the cache invalidation turtles all the way down that @mozfreddyb and @fmarier will be very familiar with. |
Although I still believe this would be best in a general fetch map, not a JS import-specific one, the proposal at https://github.com/guybedford/import-maps-extensions#integrity is simple enough, and we've seen such bad progress on fetch maps, that I'd be willing to pursue this in a hypothetical future where we got more engineers to work on import maps in Chromium. (See #235 (comment) for more background.) As such, any thumbs-up votes on the OP here would be helpful for such future prioritization. |
Whilst decoupling this idea from import maps seems worthwhile to improve traction. My hunch is the engineering effort to implement this would be pretty significant and not too dissimilar to import maps alone. This has the ability to resolve many problems:
Can the design can account for this without implementing other imports types? |
Moving over some discussion from #174 — @guybedford listed a few options:
With the caveat that I'm relatively unfamiliar with import maps, one thought is that options 1 and 2 aren't mutually exclusive. As someone who's publishing a library that's intended to be included via a As mentioned above, this doesn't enable SRI for CSS (and other content types) — I don't think it's unreasonable to have some form of link tag that specifies a SRI hash for arbitrary content without preloading, while also allowing people to specify SRI hashes for their javascript via import maps. This path forward would:
Adding SRI to both |
Adding @dandclark and @BoCupp-Microsoft who might like to contribute to this discussion. |
Maybe split
|
Hi. I use import maps a lot and download all dependencies manually as I can't trust cdns or repo owners of external libraries are not compromise. IMHO Integrity will make import maps production ready. Before that it should be flag as insecure for external resources/libraries as most JS library already include Integrity in their copy/paste snippets. As impormaps are becoming popular it is urgent to have integrity before mass adoption. So there is no time to big changes in the spec. The current proposal:
As the urls inside the impormaps are not user faced, I suggest to use the URL fragment to include the integrity.
I personally dislike the use of url fragments, but given the urgency I believe it is important. |
but how do you handle imports with tailing |
Can you provide an example? |
{ |
Note:It is not recommend that use case as some cache servers might consider: http://insecure.site/slider/ The same entry, while origin might map http://insecure.site/slider/ to http://insecure.site/slider/index.js Creating a cache mess. Edit: I think now that your refer to map prefixes. In the previous proposal, you will have an extra hash were you indeed list all the files. If you are going to list all the files with the integrity anyway, just list them in the importmap. |
I like how the "hash" (as we used to refer to URL fragments back in the day) in #221 (comment) actually is a cryptographic hash. I do feel a bit cautious about appropriating the entire fragment for this purpose; a well defined prefix, e.g., |
I'd like to move forward with an integrity proposal in SystemJS and ES Module Shims as an extension of this specification.
Would this repo be the right place to suggest that?
The text was updated successfully, but these errors were encountered: