On Wed, May 22, 2024 at 10:29 AM Yoav Weiss (@Shopify) < yoavwe...@chromium.org> wrote:
> > > On Tuesday, May 21, 2024 at 1:04:44 PM UTC+2 Yoav Weiss wrote: > > Contact emailsyoavwe...@chromium.org > > Explainerhttps://github.com/guybedford/import-maps-extensions#integrity > > Specificationhttps://github.com/whatwg/html/pull/10269 > > The PR is ready to land, but we're holding off on that for 2 weeks at > Mozilla's request. See below. > > Summary > > Imported ES modules can't currently have their integrity checked, and > hence cannot run in environments that require Subresource Integrity or with > `require-sri-for` CSP directives. This feature adds an `integrity` section > to import maps, enabling developers to map ES module URLs to their > integrity metadata, and ensure they only load when they match their > expected hashes. > > > Blink componentBlink>Loader > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ELoader> > > TAG reviewhttps://github.com/w3ctag/design-reviews/issues/944 > > TAG review statusIssues addressed > > Risks > > > Interoperability and Compatibility > > On the interoperability front, this got a positive position from WebKit, > and I'm implementing the feature there > <https://github.com/whatwg/html/pull/10269>. Mozilla didn't object to the > feature, but asked > <https://docs.google.com/document/d/1iaarr4Ho715CUULrvi_LD3TwshAcN2odDLBBEK0FjH0/edit#bookmark=id.li7pdpi5uloq> > > I just realized that the meeting notes are not publicly viewable. +Panos Astithas <pastit...@google.com> - would you be able to open them up to the public somehow? (e.g. as a Chromium.org doc) > for a couple more weeks to evaluate it and provide a position, as they > might be planning broader-scope work on the front of application integrity, > and want to make sure this doesn't collide with it. > > > On the compatibility front, the feature is polyfilled > <https://github.com/guybedford/es-module-shims/pull/424>, but it's turned > off for browsers that support import maps > <https://github.com/guybedford/es-module-shims#:~:text=The%20ES%20Module%20Shims%20polyfill%20will%20analyze%20the%20browser%20to%20see%20if%20it%20supports%20import%20maps.%20If%20it%20does%2C%20it%20doesn%27t%20do%20anything%20more> > . > > > Adding Guy Bedford, the polyfill author to this thread. Guy, can you > confirm this is the case? > > *Gecko*: No signal > <https://github.com/mozilla/standards-positions/issues/1010> > > *WebKit*: Support > <https://github.com/WebKit/standards-positions/issues/335> > > > WebKit PR <https://github.com/WebKit/WebKit/pull/28253> has landed. > > > > > *Web developers*: Positive > <https://x.com/yoavweiss/status/1778067431417954803> > This is based on a proposal from a developer (Guy Bedford). > Multiple Shopify properties are interested in this, to enable using ES > modules as bundler output in security sensitive environments. Asking about > this on twitter and mastodon showed that some developers are interested in > this, while others discount SRI in general. > > *Other signals*: > > Activation > > As long as support is not ubiquitous, the `integrity` part of import maps > will be ignored in non-supporting browsers, resulting in scripts loading in > those browsers even if they're supposed to fail their integrity checks. > > There's also a polyfill > <https://github.com/guybedford/es-module-shims/pull/424> that would > enable sites to get integrity support for ES modules in browsers that don't > support import maps at all. That's an increasingly slim part of the browser > population. > > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > > None > > > Debuggability > > No issues in particular. The feature does emit a few console errors in > cases where parsing fails, to help developers debug this. > > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, ChromeOS, Android, and Android WebView)?Yes > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ?Yes > > https://chromium-review.googlesource.com/c/chromium/src/+/5441822 > > > Flag name on chrome://flagsNone > > Finch feature nameImportMapIntegrity > > Requires code in //chrome?False > > Tracking bughttps://issues.chromium.org/issues/334251999 > > MeasurementNo use-counter was added so far. If one is needed, I can add > it when flipping on the flag. > > > I decided to add a usecounter > <https://chromium-review.googlesource.com/c/chromium/src/+/5555942>. > > > > Availability expectationFeature is available in WebKit within a few > months of launch in Chromium, if not before. Still waiting on Mozilla's > position and plans. > > Adoption expectation > I expect web developers that want to rely on SRI for ES modules to use the > feature directly without requiring the polyfill. > > Adoption planUpdate MDN <https://github.com/mdn/mdn/issues/541> on the > integrity section. > > > MDN PR <https://github.com/mdn/content/pull/33712>. > > > > > Estimated milestonesShipping on desktop127Shipping on Android127Shipping > on WebView127 > > Anticipated spec changes > > Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way). > > > No open questions. > > Link to entry on the Chrome Platform Statushttps://chromestatus.com/ > feature/5157245026566144?gate=5203447331946496 > > Links to previous Intent discussionsIntent to prototype: https://groups. > google.com/a/chromium.org/d/msgid/blink-dev/CAOaYce5MGsXBzw6K_py5yEj_Vx6o_ > %3DA4CecJm_gaAyU7H6wfPQ%40mail.gmail.com > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSK%3D6VEeSaicP7b1m47btcd7q3dBTR9AoL241bgSPZD7Gw%40mail.gmail.com.
