webpack: lockdown inlining #1101
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
documentation
legobeat
force-pushed
the
naugtur/lockdown-inlining
branch
from
5119a84
to
0fc85d6
Compare
boneskull
approved these changes
Mar 20, 2024
packages/webpack/README.md
Outdated
| - The plugin is attempting to add it as an asset to the compilation for the sake of Developer Experience. Feedback welcome. | ||
| - [SES lockdown][] must be added to the page without any bundling or transforming for any security guarantees to be sustained. | ||
| - The plugin is attempting to add it as an asset to the compilation for the sake of Developer Experience. `.js` extension is omitted to prevent minification. | ||
| - Optionally lockdown can be inlined into the bundle files. It's hard to determine which files are loaded when, so providing filenames for scripts that get to load as the first script on the page to apply lockdown only once is how one uses inlining. |
There was a problem hiding this comment.
This sentence is a little hard to understand
There was a problem hiding this comment.
It was even harder to write 😅
Comment on lines
+9
to
+11
| await t.notThrowsAsync(async () => { | ||
| t.context.build = await scaffold(webpackConfig) | ||
| }, 'Expected the build to succeed') |
There was a problem hiding this comment.
the side-effect here is little malodorous to me, but I'm not sure what a better solution would look like.
There was a problem hiding this comment.
I'm not sure what you mean is a side effect here. scaffold is running the build and returning information it collects. If it fails, we report it as a testsuite failure.
legobeat
reviewed
Apr 15, 2024
legobeat
reviewed
Apr 15, 2024
legobeat
reviewed
Apr 15, 2024
legobeat
reviewed
Apr 15, 2024
legobeat
reviewed
Apr 15, 2024
legobeat
reviewed
Apr 15, 2024
naugtur
force-pushed
the
naugtur/lockdown-inlining
branch
from
113b13b
to
65cff33
Compare
Co-authored-by: Christopher Hiller <boneskull@boneskull.com>
Co-authored-by: legobeat <109787230+legobeat@users.noreply.github.com> Co-authored-by: Christopher Hiller <boneskull@boneskull.com>
naugtur
force-pushed
the
naugtur/lockdown-inlining
branch
from
65cff33
to
0eaa1d2
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Some use-cases (including snaps) need to inline SES lockdown into the bundle file. It's impossible to flawlessly guess which file will be the one to load first on a new page in more complex configurations, so I went with a static list you have to provide. separate file lockdown remains the default approach.
Updated the README with explanation of this and got it up to date with implementation,