Importmap integrity #944
Labels
Focus: API design (pending)
Focus: Security (pending)
Mode: breakout
Work done during a time-limited breakout session
Priority: urgent
Resolution: satisfied
The TAG is satisfied with this design
Venue: WHATWG
Milestone
こんにちは TAG-さん!
I'm requesting a TAG review of Importmap integrity - enabling subresource integrity checks on ES module imports.
Since modules initiate requests, there is a need for the ability to specify the integrity of dependencies, and not just the top level <script type="module"> integrity which can be supported via traditional means.
For specifiers like import 'pkg' that are controlled by import maps, the problem is that the import map is fully responsible for the resolved module and hence the integrity of the resolved module as well.
Without a mechanism to specify integrity, it is not currently possible to use module dependencies in environments where SRI is required and where those module dependencies are loaded lazily, as integrity metadata cannot be set via the module script tag or link preload tag directly.
static module imports.
Further details:
TBD:
The text was updated successfully, but these errors were encountered: