Re: [PROPOSAL] Provide a way to enforce integrity check on module imports
That seems like something that could possibly be achieved via https://github.com/tc39/proposal-import-assertions On Sat, Aug 1, 2020 at 1:15 AM Michaël Rouges wrote: > Hi all, > > As proposed a year ago on an old repository (thanks to ljharb, noticed me > that fact), on the browser side, the integrity check should be controllable > **for each imported module**. Actually, it's just impossible to do it > without bundling. > > > https://github.com/tc39/proposal-dynamic-import/issues/76#issuecomment-494686580 > > What's your opinion on this, please? > > Michaël Rouges - https://github.com/Lcfvs - @Lcfvs > ___ > es-discuss mailing list > es-discuss@mozilla.org > https://mail.mozilla.org/listinfo/es-discuss > ___ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss
Re: [PROPOSAL] Provide a way to enforce integrity check on module imports
The problem with inlining the integrity into every import site is that this is naturally incompatible with import maps. On Sat, 1 Aug 2020 at 08:57, Jordan Harband wrote: > That seems like something that could possibly be achieved via > https://github.com/tc39/proposal-import-assertions > > On Sat, Aug 1, 2020 at 1:15 AM Michaël Rouges > wrote: > >> Hi all, >> >> As proposed a year ago on an old repository (thanks to ljharb, noticed me >> that fact), on the browser side, the integrity check should be controllable >> **for each imported module**. Actually, it's just impossible to do it >> without bundling. >> >> >> https://github.com/tc39/proposal-dynamic-import/issues/76#issuecomment-494686580 >> >> What's your opinion on this, please? >> >> Michaël Rouges - https://github.com/Lcfvs - @Lcfvs >> ___ >> es-discuss mailing list >> es-discuss@mozilla.org >> https://mail.mozilla.org/listinfo/es-discuss >> > ___ > es-discuss mailing list > es-discuss@mozilla.org > https://mail.mozilla.org/listinfo/es-discuss > ___ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss
Re: [PROPOSAL] Provide a way to enforce integrity check on module imports
Hi, > The problem with inlining the integrity into every import site is that this > is naturally incompatible with import maps. I don't see a problem with that. When using import maps, you should be able to specifiy the integrity check in the import map, not needing it in the module itself. When not using import maps, specifying the integrity in the importing module itself seems to give the best developer experience, following the rationale of https://github.com/tc39/proposal-import-assertions#why-not-out-of-band. When using it in *both* places, then of course both integrity checks would need to match, and an import map would be prevented from swapping out the module under your hands. kind regards, Bergi ___ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss
Re: [PROPOSAL] Provide a way to enforce integrity check on module imports
Maybe a convention between hosts to prefix an import with an integrity check? ``` js import foo from 'sha1sum:ef70d15a0700d2108e0df27dde750f5c682b4697!./foo.js'; ``` It looks kinda of dirty, but the specification allows it (aside from the colon character that is forbidden right now) This types of urls remember me of a past time when bundlers used to have loaders prefixes, like `import style from 'css-loader:./styles.css'` Em sáb., 1 de ago. de 2020 às 14:33, Bergi escreveu: > Hi, > > > The problem with inlining the integrity into every import site is that > this > > is naturally incompatible with import maps. > > I don't see a problem with that. When using import maps, you should be > able to specifiy the integrity check in the import map, not needing it > in the module itself. > When not using import maps, specifying the integrity in the importing > module itself seems to give the best developer experience, following the > rationale of > https://github.com/tc39/proposal-import-assertions#why-not-out-of-band. > When using it in *both* places, then of course both integrity checks > would need to match, and an import map would be prevented from swapping > out the module under your hands. > > kind regards, > Bergi > ___ > es-discuss mailing list > es-discuss@mozilla.org > https://mail.mozilla.org/listinfo/es-discuss > -- Atenciosamente, Augusto Borges de Moura ___ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss
