Thanks for your response Ryosuke! From: Ryosuke Niwa <rn...@webkit.org>
> How does this feature supposed to work with CSP subresource integrity? >As far as I've read various specs and the proposal, it's not currently >possible to specify any integrity checks on modules loaded via import this. >This is a pretty serious downside because it would mean that any remote server >ever referenced by an import map becomes a security liability for a given >website. It's a lot worse compared to normal scripts > because of the >action-at-a-distance of import maps. There is no indication that a given >module import could involve access to cross-origin servers isn't obvious from >where the import statement appears. Correct, this proposal does not change the status quo regarding models and CSP integrity integration. I can understand how import maps might increase the priority of improving CSP in that way for WebKit, and I imagine the webappsec group would welcome any collaboration on solving that. There are even proposals from community members to piggyback on the import map's <script> to solve this long-standing problem: see https://github.com/guybedford/import-maps-extensions#integrity. Hope this helps! -Domenic _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
