I'm inclined to LGTM this now - but don't see a lot of harm waiting for
1 additional week (per Mozilla's request in the not-public minutes).
Happy to do so before, so long as the HTML PR lands.
On 5/22/24 5:15 AM, Yoav Weiss (@Shopify) wrote:
On Wed, May 22, 2024 at 10:29 AM Yoav Weiss (@Shopify)
<yoavwe...@chromium.org> wrote:
On Tuesday, May 21, 2024 at 1:04:44 PM UTC+2 Yoav Weiss wrote:
Contact emailsyoavwe...@chromium.org
Explainerhttps://github.com/guybedford/import-maps-extensions#integrity
<https://github.com/guybedford/import-maps-extensions#integrity>
Specificationhttps://github.com/whatwg/html/pull/10269
<https://github.com/whatwg/html/pull/10269>
The PR is ready to land, but we're holding off on that for 2
weeks at Mozilla's request. See below.
Summary
Imported ES modules can't currently have their integrity
checked, and hence cannot run in environments that require
Subresource Integrity or with `require-sri-for` CSP
directives. This feature adds an `integrity` section to import
maps, enabling developers to map ES module URLs to their
integrity metadata, and ensure they only load when they match
their expected hashes.
Blink componentBlink>Loader
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ELoader>
TAG reviewhttps://github.com/w3ctag/design-reviews/issues/944
<https://github.com/w3ctag/design-reviews/issues/944>
TAG review statusIssues addressed
Risks
Interoperability and Compatibility
On the interoperability front, this got a positive position
from WebKit, and I'm implementing the feature there
<https://github.com/whatwg/html/pull/10269>. Mozilla didn't
object to the feature, but asked
<https://docs.google.com/document/d/1iaarr4Ho715CUULrvi_LD3TwshAcN2odDLBBEK0FjH0/edit#bookmark=id.li7pdpi5uloq>
I just realized that the meeting notes are not publicly viewable.
+Panos Astithas <mailto:pastit...@google.com> - would you be able to
open them up to the public somehow? (e.g. as a Chromium.org doc)
for a couple more weeks to evaluate it and provide a position,
as they might be planning broader-scope work on the front of
application integrity, and want to make sure this doesn't
collide with it.
On the compatibility front, the feature is polyfilled
<https://github.com/guybedford/es-module-shims/pull/424>, but
it's turned off for browsers that support import maps
<https://github.com/guybedford/es-module-shims#:~:text=The%20ES%20Module%20Shims%20polyfill%20will%20analyze%20the%20browser%20to%20see%20if%20it%20supports%20import%20maps.%20If%20it%20does%2C%20it%20doesn%27t%20do%20anything%20more>.
Adding Guy Bedford, the polyfill author to this thread. Guy,
can you confirm this is the case?
/Gecko/: No signal
<https://github.com/mozilla/standards-positions/issues/1010>
/WebKit/: Support
<https://github.com/WebKit/standards-positions/issues/335>
WebKit PR <https://github.com/WebKit/WebKit/pull/28253> has landed.
/Web developers/: Positive
<https://x.com/yoavweiss/status/1778067431417954803>
This is based on a proposal from a developer (Guy Bedford).
Multiple Shopify properties are interested in this, to enable
using ES modules as bundler output in security sensitive
environments. Asking about this on twitter and mastodon showed
that some developers are interested in this, while others
discount SRI in general.
/Other signals/:
Activation
As long as support is not ubiquitous, the `integrity` part of
import maps will be ignored in non-supporting browsers,
resulting in scripts loading in those browsers even if they're
supposed to fail their integrity checks.
There's also a polyfill
<https://github.com/guybedford/es-module-shims/pull/424> that
would enable sites to get integrity support for ES modules in
browsers that don't support import maps at all. That's an
increasingly slim part of the browser population.
WebView application risks
Does this intent deprecate or change behavior of existing
APIs, such that it has potentially high risk for Android
WebView-based applications?
None
Debuggability
No issues in particular. The feature does emit a few console
errors in cases where parsing fails, to help developers debug
this.
Will this feature be supported on all six Blink platforms
(Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?Yes
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?Yes
https://chromium-review.googlesource.com/c/chromium/src/+/5441822
<https://chromium-review.googlesource.com/c/chromium/src/+/5441822>
Flag name on chrome://flagsNone
Finch feature nameImportMapIntegrity
Requires code in //chrome?False
Tracking bughttps://issues.chromium.org/issues/334251999
<https://issues.chromium.org/issues/334251999>
MeasurementNo use-counter was added so far. If one is needed,
I can add it when flipping on the flag.
I decided to add a usecounter
<https://chromium-review.googlesource.com/c/chromium/src/+/5555942>.
Availability expectationFeature is available in WebKit within
a few months of launch in Chromium, if not before. Still
waiting on Mozilla's position and plans.
Adoption expectation
I expect web developers that want to rely on SRI for ES
modules to use the feature directly without requiring the
polyfill.
Adoption planUpdate MDN
<https://github.com/mdn/mdn/issues/541> on the integrity section.
MDN PR <https://github.com/mdn/content/pull/33712>.
Estimated milestonesShipping on desktop127Shipping on
Android127Shipping on WebView127
Anticipated spec changes
Open questions about a feature may be a source of future web
compat or interop issues. Please list open issues (e.g. links
to known github issues in the project for the feature
specification) whose resolution may introduce web
compat/interop risk (e.g., changing to naming or structure of
the API in a non-backward-compatible way).
No open questions.
Link to entry on the Chrome Platform
Statushttps://chromestatus.com/feature/5157245026566144?gate=5203447331946496
<https://chromestatus.com/feature/5157245026566144?gate=5203447331946496>
Links to previous Intent discussionsIntent to prototype:
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOaYce5MGsXBzw6K_py5yEj_Vx6o_%3DA4CecJm_gaAyU7H6wfPQ%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOaYce5MGsXBzw6K_py5yEj_Vx6o_%3DA4CecJm_gaAyU7H6wfPQ%40mail.gmail.com>
This intent message was generated by Chrome Platform Status
<https://chromestatus.com/>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSK%3D6VEeSaicP7b1m47btcd7q3dBTR9AoL241bgSPZD7Gw%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSK%3D6VEeSaicP7b1m47btcd7q3dBTR9AoL241bgSPZD7Gw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/59075b03-0a21-47da-9f03-36a249a12894%40chromium.org.
