Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support subresource integrity #174

Closed
nanaian opened this issue Aug 18, 2019 · 2 comments
Closed

Support subresource integrity #174

nanaian opened this issue Aug 18, 2019 · 2 comments

Comments

@nanaian
Copy link

@nanaian nanaian commented Aug 18, 2019

It would be incredibly useful for import maps to support subresource integrity hashes that are checked against similar to <script integrity=""/>. This is extra important because one of the primary goals of import mapping is to support delivery from 3rd party CDNs (such as unpkg) -- for security, SRI is almost vital when using an external CDN.

This might come in the form:

{
  "imports": {
    "cool-module": [
      { "url": "https://unpkg.com/cool-module@1.0.0?module", "integrity": "sha384-..." },
      "/node_modules/cool-module/index.js"
    ]
  }
}

Note the new option of a { url, integrity } object in place of a string URL on its own.

Alternatively, a top-level integrity object mapping URL to SRI hash might be a better fit as it is backwards-compatible with existing browser and polyfill implementations, and supports adding SRI for nested imports like cool-module/file.js.

@domenic

This comment has been minimized.

Copy link
Collaborator

@domenic domenic commented Aug 18, 2019

Heya, this is out of scope for this repository. See discussion at https://github.com/WICG/import-maps#supplying-out-of-band-metadata-for-each-module and the previous similar iissue, #99.

I'll close this since we won't be working on it in this repository, but I'm happy to continue discussing in the close thread.

@domenic domenic closed this Aug 18, 2019
@shannonmoeller

This comment has been minimized.

Copy link

@shannonmoeller shannonmoeller commented Oct 8, 2019

+1 to the idea of using import maps for subresource integrity as import in JS and @import in CSS have no way to specify a sha. Import maps feel like a natural fit for this. Is there documentation, discussion, or an alternate proposal on the topic elsewhere, if not here or #99?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.