Add subresource integrity support for ES modules, through importmaps #10269
+185
−28
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Some initial comments:
|
|
Thanks for taking a look!
That's a good point, and I'm currently using the resolved URLs as the keys to the internal lookup, which is admittedly a bit awkward. Moving to use the URLs explicitly makes sense to me, and will simplify the code a bit.
Good point, I missed adding it. Will do!
Yeah, I was planning on testing static imports as well (but ran out of power on the flight :P). Will add that before this will all be ready for review. |
yoavweiss
changed the title
|
@domenic - I believe this is now ready for review. Also, I marked Chromium as supportive given that I'm implementing this, but let me know if that requires more explicit support from the Chrome team. |
|
(Also, PR preview doesn't seem to update to the latest version for some reason) |
This was referenced Apr 15, 2024
1 task
yoavweiss
commented
Apr 15, 2024
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Apr 15, 2024
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Apr 15, 2024
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Apr 15, 2024
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
hiroshige-g
reviewed
Apr 16, 2024
|
The explainer says: But in the current PR (as well as the draft CL) the import-map-originating hashes are NOT applied to
Is this intentional, or spec/impl should be fixed? |
domenic
approved these changes
Apr 24, 2024
yoavweiss
commented
Apr 24, 2024
This was referenced Apr 24, 2024
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Apr 24, 2024
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Apr 24, 2024
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Apr 24, 2024
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Apr 24, 2024
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity I2P: https://groups.google.com/a/chromium.org/g/blink-dev/c/O2UR3kb-HcI/m/7Jh7_GYsAAAJ?utm_medium=email&utm_source=footer Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Apr 25, 2024
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity I2P: https://groups.google.com/a/chromium.org/g/blink-dev/c/O2UR3kb-HcI/m/7Jh7_GYsAAAJ?utm_medium=email&utm_source=footer Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Apr 25, 2024
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity I2P: https://groups.google.com/a/chromium.org/g/blink-dev/c/O2UR3kb-HcI/m/7Jh7_GYsAAAJ?utm_medium=email&utm_source=footer Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Apr 25, 2024
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity I2P: https://groups.google.com/a/chromium.org/g/blink-dev/c/O2UR3kb-HcI/m/7Jh7_GYsAAAJ?utm_medium=email&utm_source=footer Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Apr 25, 2024
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity I2P: https://groups.google.com/a/chromium.org/g/blink-dev/c/O2UR3kb-HcI/m/7Jh7_GYsAAAJ?utm_medium=email&utm_source=footer Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
annevk
reviewed
Apr 30, 2024
| attribute, then set <var>options</var>'s <span | ||
| data-x="concept-script-fetch-options-integrity">integrity metadata</span> to the result of | ||
| <span>resolving a module integrity metadata</span> with <var>url</var> and | ||
| <var>settings object</var>.</p> |
There was a problem hiding this comment.
Wouldn't it be cleaner for this to branch on options integrity metadata being the empty string? I guess it's technically different. So either way we should probably test what integrity="" plus import map integrity does.
There was a problem hiding this comment.
I think this way would be clearer to devs, but can be convinced either way.
It is tested in https://chromium-review.googlesource.com/c/chromium/src/+/5441822 (lines 55 and 110)
There was a problem hiding this comment.
Apologies, I thought I linked to the file directly: https://chromium-review.googlesource.com/c/chromium/src/+/5441822/30/third_party/blink/web_tests/external/wpt/import-maps/nonimport-integrity.html
This reverts commit b4e94b6.
mozfreddyb
reviewed
May 3, 2024
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
May 7, 2024
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity I2P: https://groups.google.com/a/chromium.org/g/blink-dev/c/O2UR3kb-HcI/m/7Jh7_GYsAAAJ?utm_medium=email&utm_source=footer Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
May 7, 2024
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity I2P: https://groups.google.com/a/chromium.org/g/blink-dev/c/O2UR3kb-HcI/m/7Jh7_GYsAAAJ?utm_medium=email&utm_source=footer Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5441822 Reviewed-by: Domenic Denicola <domenic@chromium.org> Commit-Queue: Yoav Weiss (@Shopify) <yoavweiss@chromium.org> Cr-Commit-Position: refs/heads/main@{#1297376}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
May 7, 2024
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity I2P: https://groups.google.com/a/chromium.org/g/blink-dev/c/O2UR3kb-HcI/m/7Jh7_GYsAAAJ?utm_medium=email&utm_source=footer Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5441822 Reviewed-by: Domenic Denicola <domenic@chromium.org> Commit-Queue: Yoav Weiss (@Shopify) <yoavweiss@chromium.org> Cr-Commit-Position: refs/heads/main@{#1297376}
yoavweiss
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
May 7, 2024
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity I2P: https://groups.google.com/a/chromium.org/g/blink-dev/c/O2UR3kb-HcI/m/7Jh7_GYsAAAJ?utm_medium=email&utm_source=footer Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5441822 Reviewed-by: Domenic Denicola <domenic@chromium.org> Commit-Queue: Yoav Weiss (@Shopify) <yoavweiss@chromium.org> Cr-Commit-Position: refs/heads/main@{#1297376} Co-authored-by: Yoav Weiss <yoavweiss@chromium.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Based on a proposal by @guybedford.
SRI support for ES module imports would enable using them in documents that require SRI for certain scripts for security or privacy reasons.
(See WHATWG Working Mode: Changes for more details.)
/infrastructure.html ( diff )
/links.html ( diff )
/scripting.html ( diff )
/webappapis.html ( diff )