Kudos, Yoav! Excited to see rapid progress on this: Webkit PR is merged \o/, hoping to see this in M127, and fingers crossed for fast follow with FF.
As background context and motivation, this is an important building block for enabling PCIv4 compliance for ecomm sites. v4 requires that the page that includes/embeds payment elements provides auth+integrity guarantees for all scripts executing in the parent, and importmap integrity is one of the missing pieces to enable that. We need and plan to leverage this for checkout at Shopify, and I'm sure other ecomm sites and platforms will need it too. For broader context on v4, see: https://www.shopify.com/in/partners/blog/checkout-compliance ig On Tuesday, May 21, 2024 at 4:04:44 AM UTC-7 yoav...@chromium.org wrote: > Contact emailsyoav...@chromium.org > > Explainerhttps://github.com/guybedford/import-maps-extensions#integrity > > Specificationhttps://github.com/whatwg/html/pull/10269 > > The PR is ready to land, but we're holding off on that for 2 weeks at > Mozilla's request. See below. > > Summary > > Imported ES modules can't currently have their integrity checked, and > hence cannot run in environments that require Subresource Integrity or with > `require-sri-for` CSP directives. This feature adds an `integrity` section > to import maps, enabling developers to map ES module URLs to their > integrity metadata, and ensure they only load when they match their > expected hashes. > > > Blink componentBlink>Loader > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ELoader> > > TAG reviewhttps://github.com/w3ctag/design-reviews/issues/944 > > TAG review statusIssues addressed > > Risks > > > Interoperability and Compatibility > > On the interoperability front, this got a positive position from WebKit, > and I'm implementing the feature there > <https://github.com/whatwg/html/pull/10269>. Mozilla didn't object to the > feature, but asked > <https://docs.google.com/document/d/1iaarr4Ho715CUULrvi_LD3TwshAcN2odDLBBEK0FjH0/edit#bookmark=id.li7pdpi5uloq> > > for a couple more weeks to evaluate it and provide a position, as they > might be planning broader-scope work on the front of application integrity, > and want to make sure this doesn't collide with it. > > > On the compatibility front, the feature is polyfilled > <https://github.com/guybedford/es-module-shims/pull/424>, but it's turned > off for browsers that support import maps > <https://github.com/guybedford/es-module-shims#:~:text=The%20ES%20Module%20Shims%20polyfill%20will%20analyze%20the%20browser%20to%20see%20if%20it%20supports%20import%20maps.%20If%20it%20does%2C%20it%20doesn%27t%20do%20anything%20more> > . > > > Adding Guy Bedford, the polyfill author to this thread. Guy, can you > confirm this is the case? > > *Gecko*: No signal > <https://github.com/mozilla/standards-positions/issues/1010> > > *WebKit*: Support > <https://github.com/WebKit/standards-positions/issues/335> > > *Web developers*: Positive > <https://x.com/yoavweiss/status/1778067431417954803> > This is based on a proposal from a developer (Guy Bedford). > Multiple Shopify properties are interested in this, to enable using ES > modules as bundler output in security sensitive environments. Asking about > this on twitter and mastodon showed that some developers are interested in > this, while others discount SRI in general. > > *Other signals*: > > Activation > > As long as support is not ubiquitous, the `integrity` part of import maps > will be ignored in non-supporting browsers, resulting in scripts loading in > those browsers even if they're supposed to fail their integrity checks. > > There's also a polyfill > <https://github.com/guybedford/es-module-shims/pull/424> that would > enable sites to get integrity support for ES modules in browsers that don't > support import maps at all. That's an increasingly slim part of the browser > population. > > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > > None > > > Debuggability > > No issues in particular. The feature does emit a few console errors in > cases where parsing fails, to help developers debug this. > > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, ChromeOS, Android, and Android WebView)?Yes > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ?Yes > > https://chromium-review.googlesource.com/c/chromium/src/+/5441822 > > > Flag name on chrome://flagsNone > > Finch feature nameImportMapIntegrity > > Requires code in //chrome?False > > Tracking bughttps://issues.chromium.org/issues/334251999 > > MeasurementNo use-counter was added so far. If one is needed, I can add > it when flipping on the flag. > > Availability expectationFeature is available in WebKit within a few > months of launch in Chromium, if not before. Still waiting on Mozilla's > position and plans. > > Adoption expectation > I expect web developers that want to rely on SRI for ES modules to use the > feature directly without requiring the polyfill. > > Adoption planUpdate MDN <https://github.com/mdn/mdn/issues/541> on the > integrity section. > > Estimated milestones > Shipping on desktop 127 > Shipping on Android 127 > Shipping on WebView 127 > > Anticipated spec changes > > Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way). > > > No open questions. > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/5157245026566144?gate=5203447331946496 > > Links to previous Intent discussionsIntent to prototype: > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOaYce5MGsXBzw6K_py5yEj_Vx6o_%3DA4CecJm_gaAyU7H6wfPQ%40mail.gmail.com > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/01440464-7730-45f3-8fd5-e44eb5ed1a02n%40chromium.org.
