On Fri, May 24, 2024 at 7:12 PM Panos Astithas
<pastit...@google.com> wrote:
On Wed, May 22, 2024 at 2:16 AM Yoav Weiss (@Shopify)
<yoavwe...@chromium.org> wrote:
On Wed, May 22, 2024 at 10:29 AM Yoav Weiss (@Shopify)
<yoavwe...@chromium.org> wrote:
On Tuesday, May 21, 2024 at 1:04:44 PM UTC+2 Yoav
Weiss wrote:
Contact emailsyoavwe...@chromium.org
Explainerhttps://github.com/guybedford/import-maps-extensions#integrity
<https://github.com/guybedford/import-maps-extensions#integrity>
Specificationhttps://github.com/whatwg/html/pull/10269
<https://github.com/whatwg/html/pull/10269>
The PR is ready to land, but we're holding off
on that for 2 weeks at Mozilla's request. See below.
Summary
Imported ES modules can't currently have their
integrity checked, and hence cannot run in
environments that require Subresource Integrity
or with `require-sri-for` CSP directives. This
feature adds an `integrity` section to import
maps, enabling developers to map ES module URLs
to their integrity metadata, and ensure they
only load when they match their expected hashes.
Blink componentBlink>Loader
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ELoader>
TAG
reviewhttps://github.com/w3ctag/design-reviews/issues/944
<https://github.com/w3ctag/design-reviews/issues/944>
TAG review statusIssues addressed
Risks
Interoperability and Compatibility
On the interoperability front, this got a
positive position from WebKit, and I'm
implementing the feature there
<https://github.com/whatwg/html/pull/10269>.
Mozilla didn't object to the feature, but asked
<https://docs.google.com/document/d/1iaarr4Ho715CUULrvi_LD3TwshAcN2odDLBBEK0FjH0/edit#bookmark=id.li7pdpi5uloq>
I just realized that the meeting notes are not publicly
viewable.
+Panos Astithas <mailto:pastit...@google.com> - would
you be able to open them up to the public somehow? (e.g.
as a Chromium.org doc)
They were published
<https://github.com/whatwg/html/issues/10340#:~:text=Benjamin%3A%20I%27d%20like%20a%20further%20two%20weeks>
that
same day, we try to post the minutes publicly in less than
24 hours.
Oops!! My bad for using the wrong artifact!
for a couple more weeks to evaluate it and
provide a position, as they might be planning
broader-scope work on the front of application
integrity, and want to make sure this doesn't
collide with it.
On the compatibility front, the feature is
polyfilled
<https://github.com/guybedford/es-module-shims/pull/424>,
but it's turned off for browsers that support
import maps
<https://github.com/guybedford/es-module-shims#:~:text=The%20ES%20Module%20Shims%20polyfill%20will%20analyze%20the%20browser%20to%20see%20if%20it%20supports%20import%20maps.%20If%20it%20does%2C%20it%20doesn%27t%20do%20anything%20more>.
Adding Guy Bedford, the polyfill author to this
thread. Guy, can you confirm this is the case?
/Gecko/: No signal
<https://github.com/mozilla/standards-positions/issues/1010>
/WebKit/: Support
<https://github.com/WebKit/standards-positions/issues/335>
WebKit PR
<https://github.com/WebKit/WebKit/pull/28253> has
landed.
/Web developers/: Positive
<https://x.com/yoavweiss/status/1778067431417954803>
This is based on a proposal from a developer
(Guy Bedford).
Multiple Shopify properties are interested in
this, to enable using ES modules as bundler
output in security sensitive environments.
Asking about this on twitter and mastodon showed
that some developers are interested in this,
while others discount SRI in general.
/Other signals/:
Activation
As long as support is not ubiquitous, the
`integrity` part of import maps will be ignored
in non-supporting browsers, resulting in scripts
loading in those browsers even if they're
supposed to fail their integrity checks.
There's also a polyfill
<https://github.com/guybedford/es-module-shims/pull/424>
that would enable sites to get integrity support
for ES modules in browsers that don't support
import maps at all. That's an increasingly slim
part of the browser population.
WebView application risks
Does this intent deprecate or change behavior of
existing APIs, such that it has potentially high
risk for Android WebView-based applications?
None
Debuggability
No issues in particular. The feature does emit a
few console errors in cases where parsing fails,
to help developers debug this.
Will this feature be supported on all six Blink
platforms (Windows, Mac, Linux, ChromeOS,
Android, and Android WebView)?Yes
Is this feature fully tested by
web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?Yes
https://chromium-review.googlesource.com/c/chromium/src/+/5441822
<https://chromium-review.googlesource.com/c/chromium/src/+/5441822>
Flag name on chrome://flagsNone
Finch feature nameImportMapIntegrity
Requires code in //chrome?False
Tracking
bughttps://issues.chromium.org/issues/334251999
<https://issues.chromium.org/issues/334251999>
MeasurementNo use-counter was added so far. If
one is needed, I can add it when flipping on the
flag.
I decided to add a usecounter
<https://chromium-review.googlesource.com/c/chromium/src/+/5555942>.
Availability expectationFeature is available in
WebKit within a few months of launch in
Chromium, if not before. Still waiting on
Mozilla's position and plans.
Adoption expectation
I expect web developers that want to rely on SRI
for ES modules to use the feature directly
without requiring the polyfill.
Adoption planUpdate MDN
<https://github.com/mdn/mdn/issues/541> on the
integrity section.
MDN PR <https://github.com/mdn/content/pull/33712>.
Estimated milestonesShipping on
desktop127Shipping on Android127Shipping on
WebView127
Anticipated spec changes
Open questions about a feature may be a source
of future web compat or interop issues. Please
list open issues (e.g. links to known github
issues in the project for the feature
specification) whose resolution may introduce
web compat/interop risk (e.g., changing to
naming or structure of the API in a
non-backward-compatible way).
No open questions.
Link to entry on the Chrome Platform
Statushttps://chromestatus.com/feature/5157245026566144?gate=5203447331946496
<https://chromestatus.com/feature/5157245026566144?gate=5203447331946496>
Links to previous Intent discussionsIntent to
prototype:
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOaYce5MGsXBzw6K_py5yEj_Vx6o_%3DA4CecJm_gaAyU7H6wfPQ%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOaYce5MGsXBzw6K_py5yEj_Vx6o_%3DA4CecJm_gaAyU7H6wfPQ%40mail.gmail.com>
This intent message was generated by Chrome
Platform Status <https://chromestatus.com/>.
--
You received this message because you are subscribed to the
Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSKEJ3THh0priUxMe2qg17Z%2BGjo4ecedvnDwpwPQkNiuYg%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSKEJ3THh0priUxMe2qg17Z%2BGjo4ecedvnDwpwPQkNiuYg%40mail.gmail.com?utm_medium=email&utm_source=footer>.