New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add subresource integrity support for ES modules, through importmaps #10269
base: main
Are you sure you want to change the base?
Conversation
Some initial comments:
|
Thanks for taking a look!
That's a good point, and I'm currently using the resolved URLs as the keys to the internal lookup, which is admittedly a bit awkward. Moving to use the URLs explicitly makes sense to me, and will simplify the code a bit.
Good point, I missed adding it. Will do!
Yeah, I was planning on testing static imports as well (but ran out of power on the flight :P). Will add that before this will all be ready for review. |
@domenic - I believe this is now ready for review. Also, I marked Chromium as supportive given that I'm implementing this, but let me know if that requires more explicit support from the Chrome team. |
(Also, PR preview doesn't seem to update to the latest version for some reason) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exciting!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for reviewing!! Addressing some of the comments, to clear things up for the rest :)
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
The explainer says:
But in the current PR (as well as the draft CL) the import-map-originating hashes are NOT applied to
Is this intentional, or spec/impl should be fixed? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with some final nits. Hooray!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!!
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity I2P: https://groups.google.com/a/chromium.org/g/blink-dev/c/O2UR3kb-HcI/m/7Jh7_GYsAAAJ?utm_medium=email&utm_source=footer Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity I2P: https://groups.google.com/a/chromium.org/g/blink-dev/c/O2UR3kb-HcI/m/7Jh7_GYsAAAJ?utm_medium=email&utm_source=footer Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity I2P: https://groups.google.com/a/chromium.org/g/blink-dev/c/O2UR3kb-HcI/m/7Jh7_GYsAAAJ?utm_medium=email&utm_source=footer Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity I2P: https://groups.google.com/a/chromium.org/g/blink-dev/c/O2UR3kb-HcI/m/7Jh7_GYsAAAJ?utm_medium=email&utm_source=footer Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity I2P: https://groups.google.com/a/chromium.org/g/blink-dev/c/O2UR3kb-HcI/m/7Jh7_GYsAAAJ?utm_medium=email&utm_source=footer Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
attribute, then set <var>options</var>'s <span | ||
data-x="concept-script-fetch-options-integrity">integrity metadata</span> to the result of | ||
<span>resolving a module integrity metadata</span> with <var>url</var> and | ||
<var>settings object</var>.</p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't it be cleaner for this to branch on options integrity metadata being the empty string? I guess it's technically different. So either way we should probably test what integrity=""
plus import map integrity does.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this way would be clearer to devs, but can be convinced either way.
It is tested in https://chromium-review.googlesource.com/c/chromium/src/+/5441822 (lines 55 and 110)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lines 55 and 110 of which file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apologies, I thought I linked to the file directly: https://chromium-review.googlesource.com/c/chromium/src/+/5441822/30/third_party/blink/web_tests/external/wpt/import-maps/nonimport-integrity.html
This reverts commit b4e94b6.
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity I2P: https://groups.google.com/a/chromium.org/g/blink-dev/c/O2UR3kb-HcI/m/7Jh7_GYsAAAJ?utm_medium=email&utm_source=footer Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity I2P: https://groups.google.com/a/chromium.org/g/blink-dev/c/O2UR3kb-HcI/m/7Jh7_GYsAAAJ?utm_medium=email&utm_source=footer Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5441822 Reviewed-by: Domenic Denicola <domenic@chromium.org> Commit-Queue: Yoav Weiss (@Shopify) <yoavweiss@chromium.org> Cr-Commit-Position: refs/heads/main@{#1297376}
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity I2P: https://groups.google.com/a/chromium.org/g/blink-dev/c/O2UR3kb-HcI/m/7Jh7_GYsAAAJ?utm_medium=email&utm_source=footer Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5441822 Reviewed-by: Domenic Denicola <domenic@chromium.org> Commit-Queue: Yoav Weiss (@Shopify) <yoavweiss@chromium.org> Cr-Commit-Position: refs/heads/main@{#1297376}
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity I2P: https://groups.google.com/a/chromium.org/g/blink-dev/c/O2UR3kb-HcI/m/7Jh7_GYsAAAJ?utm_medium=email&utm_source=footer Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5441822 Reviewed-by: Domenic Denicola <domenic@chromium.org> Commit-Queue: Yoav Weiss (@Shopify) <yoavweiss@chromium.org> Cr-Commit-Position: refs/heads/main@{#1297376} Co-authored-by: Yoav Weiss <yoavweiss@chromium.org>
Based on a proposal by @guybedford.
SRI support for ES module imports would enable using them in documents that require SRI for certain scripts for security or privacy reasons.
(See WHATWG Working Mode: Changes for more details.)
/infrastructure.html ( diff )
/links.html ( diff )
/scripting.html ( diff )
/webappapis.html ( diff )