LGTM1
On 5/24/24 3:13 PM, Yoav Weiss (@Shopify) wrote:
On Fri, May 24, 2024 at 7:12 PM Panos Astithas <pastit...@google.com>
wrote:
On Wed, May 22, 2024 at 2:16 AM Yoav Weiss (@Shopify)
<yoavwe...@chromium.org> wrote:
On Wed, May 22, 2024 at 10:29 AM Yoav Weiss (@Shopify)
<yoavwe...@chromium.org> wrote:
On Tuesday, May 21, 2024 at 1:04:44 PM UTC+2 Yoav Weiss wrote:
Contact emailsyoavwe...@chromium.org
Explainerhttps://github.com/guybedford/import-maps-extensions#integrity
<https://github.com/guybedford/import-maps-extensions#integrity>
Specificationhttps://github.com/whatwg/html/pull/10269
<https://github.com/whatwg/html/pull/10269>
The PR is ready to land, but we're holding off on that
for 2 weeks at Mozilla's request. See below.
Summary
Imported ES modules can't currently have their
integrity checked, and hence cannot run in
environments that require Subresource Integrity or
with `require-sri-for` CSP directives. This feature
adds an `integrity` section to import maps, enabling
developers to map ES module URLs to their integrity
metadata, and ensure they only load when they match
their expected hashes.
Blink componentBlink>Loader
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ELoader>
TAG
reviewhttps://github.com/w3ctag/design-reviews/issues/944
<https://github.com/w3ctag/design-reviews/issues/944>
TAG review statusIssues addressed
Risks
Interoperability and Compatibility
On the interoperability front, this got a positive
position from WebKit, and I'm implementing the feature
there <https://github.com/whatwg/html/pull/10269>.
Mozilla didn't object to the feature, but asked
<https://docs.google.com/document/d/1iaarr4Ho715CUULrvi_LD3TwshAcN2odDLBBEK0FjH0/edit#bookmark=id.li7pdpi5uloq>
I just realized that the meeting notes are not publicly viewable.
+Panos Astithas <mailto:pastit...@google.com> - would you be
able to open them up to the public somehow? (e.g. as a
Chromium.org doc)
They were published
<https://github.com/whatwg/html/issues/10340#:~:text=Benjamin%3A%20I%27d%20like%20a%20further%20two%20weeks>
that
same day, we try to post the minutes publicly in less than 24 hours.
Oops!! My bad for using the wrong artifact!
for a couple more weeks to evaluate it and provide a
position, as they might be planning broader-scope work
on the front of application integrity, and want to
make sure this doesn't collide with it.
On the compatibility front, the feature is polyfilled
<https://github.com/guybedford/es-module-shims/pull/424>,
but it's turned off for browsers that support import
maps
<https://github.com/guybedford/es-module-shims#:~:text=The%20ES%20Module%20Shims%20polyfill%20will%20analyze%20the%20browser%20to%20see%20if%20it%20supports%20import%20maps.%20If%20it%20does%2C%20it%20doesn%27t%20do%20anything%20more>.
Adding Guy Bedford, the polyfill author to this
thread. Guy, can you confirm this is the case?
/Gecko/: No signal
<https://github.com/mozilla/standards-positions/issues/1010>
/WebKit/: Support
<https://github.com/WebKit/standards-positions/issues/335>
WebKit PR <https://github.com/WebKit/WebKit/pull/28253>
has landed.
/Web developers/: Positive
<https://x.com/yoavweiss/status/1778067431417954803>
This is based on a proposal from a developer (Guy
Bedford).
Multiple Shopify properties are interested in this, to
enable using ES modules as bundler output in security
sensitive environments. Asking about this on twitter
and mastodon showed that some developers are
interested in this, while others discount SRI in general.
/Other signals/:
Activation
As long as support is not ubiquitous, the `integrity`
part of import maps will be ignored in non-supporting
browsers, resulting in scripts loading in those
browsers even if they're supposed to fail their
integrity checks.
There's also a polyfill
<https://github.com/guybedford/es-module-shims/pull/424>
that would enable sites to get integrity support for
ES modules in browsers that don't support import maps
at all. That's an increasingly slim part of the
browser population.
WebView application risks
Does this intent deprecate or change behavior of
existing APIs, such that it has potentially high risk
for Android WebView-based applications?
None
Debuggability
No issues in particular. The feature does emit a few
console errors in cases where parsing fails, to help
developers debug this.
Will this feature be supported on all six Blink
platforms (Windows, Mac, Linux, ChromeOS, Android, and
Android WebView)?Yes
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?Yes
https://chromium-review.googlesource.com/c/chromium/src/+/5441822
<https://chromium-review.googlesource.com/c/chromium/src/+/5441822>
Flag name on chrome://flagsNone
Finch feature nameImportMapIntegrity
Requires code in //chrome?False
Tracking
bughttps://issues.chromium.org/issues/334251999
<https://issues.chromium.org/issues/334251999>
MeasurementNo use-counter was added so far. If one is
needed, I can add it when flipping on the flag.
I decided to add a usecounter
<https://chromium-review.googlesource.com/c/chromium/src/+/5555942>.
Availability expectationFeature is available in WebKit
within a few months of launch in Chromium, if not
before. Still waiting on Mozilla's position and plans.
Adoption expectation
I expect web developers that want to rely on SRI for
ES modules to use the feature directly without
requiring the polyfill.
Adoption planUpdate MDN
<https://github.com/mdn/mdn/issues/541> on the
integrity section.
MDN PR <https://github.com/mdn/content/pull/33712>.
Estimated milestonesShipping on desktop127Shipping on
Android127Shipping on WebView127
Anticipated spec changes
Open questions about a feature may be a source of
future web compat or interop issues. Please list open
issues (e.g. links to known github issues in the
project for the feature specification) whose
resolution may introduce web compat/interop risk
(e.g., changing to naming or structure of the API in a
non-backward-compatible way).
No open questions.
Link to entry on the Chrome Platform
Statushttps://chromestatus.com/feature/5157245026566144?gate=5203447331946496
<https://chromestatus.com/feature/5157245026566144?gate=5203447331946496>
Links to previous Intent discussionsIntent to
prototype:
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOaYce5MGsXBzw6K_py5yEj_Vx6o_%3DA4CecJm_gaAyU7H6wfPQ%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOaYce5MGsXBzw6K_py5yEj_Vx6o_%3DA4CecJm_gaAyU7H6wfPQ%40mail.gmail.com>
This intent message was generated by Chrome Platform
Status <https://chromestatus.com/>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSKEJ3THh0priUxMe2qg17Z%2BGjo4ecedvnDwpwPQkNiuYg%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSKEJ3THh0priUxMe2qg17Z%2BGjo4ecedvnDwpwPQkNiuYg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/3f90fdca-8e32-4c01-9273-7247eddb7c52%40chromium.org.