Thanks for the extra support :) On Tue, Jun 4, 2024, 09:30 Daniel Bratell <brat...@sarasas.se> wrote:
> Doh, make that a bonus LGTM4. Sorry for the confusion. > > /Daniel > On 2024-06-04 09:29, Daniel Bratell wrote: > > LGTM3 > > /Daniel > On 2024-05-30 19:41, Vladimir Levin wrote: > > LGTM2 > > On Wed, May 29, 2024 at 11:41 AM Mike Taylor <miketa...@chromium.org> > wrote: > >> LGTM1 >> On 5/24/24 3:13 PM, Yoav Weiss (@Shopify) wrote: >> >> >> >> On Fri, May 24, 2024 at 7:12 PM Panos Astithas <pastit...@google.com> >> wrote: >> >>> >>> >>> On Wed, May 22, 2024 at 2:16 AM Yoav Weiss (@Shopify) < >>> yoavwe...@chromium.org> wrote: >>> >>>> >>>> >>>> On Wed, May 22, 2024 at 10:29 AM Yoav Weiss (@Shopify) < >>>> yoavwe...@chromium.org> wrote: >>>> >>>>> >>>>> >>>>> On Tuesday, May 21, 2024 at 1:04:44 PM UTC+2 Yoav Weiss wrote: >>>>> >>>>> Contact emailsyoavwe...@chromium.org >>>>> >>>>> Explainerhttps://github.com/guybedford/import-maps-extensions# >>>>> integrity >>>>> >>>>> Specificationhttps://github.com/whatwg/html/pull/10269 >>>>> >>>>> The PR is ready to land, but we're holding off on that for 2 weeks at >>>>> Mozilla's request. See below. >>>>> >>>>> Summary >>>>> >>>>> Imported ES modules can't currently have their integrity checked, and >>>>> hence cannot run in environments that require Subresource Integrity or >>>>> with >>>>> `require-sri-for` CSP directives. This feature adds an `integrity` section >>>>> to import maps, enabling developers to map ES module URLs to their >>>>> integrity metadata, and ensure they only load when they match their >>>>> expected hashes. >>>>> >>>>> >>>>> Blink componentBlink>Loader >>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ELoader> >>>>> >>>>> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/944 >>>>> >>>>> TAG review statusIssues addressed >>>>> >>>>> Risks >>>>> >>>>> >>>>> Interoperability and Compatibility >>>>> >>>>> On the interoperability front, this got a positive position from >>>>> WebKit, and I'm implementing the feature there >>>>> <https://github.com/whatwg/html/pull/10269>. Mozilla didn't object to >>>>> the feature, but asked >>>>> <https://docs.google.com/document/d/1iaarr4Ho715CUULrvi_LD3TwshAcN2odDLBBEK0FjH0/edit#bookmark=id.li7pdpi5uloq> >>>>> >>>>> >>>> I just realized that the meeting notes are not publicly viewable. >>>> +Panos Astithas <pastit...@google.com> - would you be able to open >>>> them up to the public somehow? (e.g. as a Chromium.org doc) >>>> >>> >>> They were published >>> <https://github.com/whatwg/html/issues/10340#:~:text=Benjamin%3A%20I%27d%20like%20a%20further%20two%20weeks> >>> that >>> same day, we try to post the minutes publicly in less than 24 hours. >>> >> >> Oops!! My bad for using the wrong artifact! >> >> >>> >>>> >>>> >>>>> for a couple more weeks to evaluate it and provide a position, as they >>>>> might be planning broader-scope work on the front of application >>>>> integrity, >>>>> and want to make sure this doesn't collide with it. >>>>> >>>>> >>>>> On the compatibility front, the feature is polyfilled >>>>> <https://github.com/guybedford/es-module-shims/pull/424>, but it's turned >>>>> off for browsers that support import maps >>>>> <https://github.com/guybedford/es-module-shims#:~:text=The%20ES%20Module%20Shims%20polyfill%20will%20analyze%20the%20browser%20to%20see%20if%20it%20supports%20import%20maps.%20If%20it%20does%2C%20it%20doesn%27t%20do%20anything%20more> >>>>> . >>>>> >>>>> >>>>> Adding Guy Bedford, the polyfill author to this thread. Guy, can you >>>>> confirm this is the case? >>>>> >>>>> *Gecko*: No signal >>>>> <https://github.com/mozilla/standards-positions/issues/1010> >>>>> >>>>> *WebKit*: Support >>>>> <https://github.com/WebKit/standards-positions/issues/335> >>>>> >>>>> >>>>> WebKit PR <https://github.com/WebKit/WebKit/pull/28253> has landed. >>>>> >>>>> >>>>> >>>>> >>>>> *Web developers*: Positive >>>>> <https://x.com/yoavweiss/status/1778067431417954803> >>>>> This is based on a proposal from a developer (Guy Bedford). >>>>> Multiple Shopify properties are interested in this, to enable using ES >>>>> modules as bundler output in security sensitive environments. Asking about >>>>> this on twitter and mastodon showed that some developers are interested in >>>>> this, while others discount SRI in general. >>>>> >>>>> *Other signals*: >>>>> >>>>> Activation >>>>> >>>>> As long as support is not ubiquitous, the `integrity` part of import >>>>> maps will be ignored in non-supporting browsers, resulting in scripts >>>>> loading in those browsers even if they're supposed to fail their integrity >>>>> checks. >>>>> >>>>> There's also a polyfill >>>>> <https://github.com/guybedford/es-module-shims/pull/424> that would >>>>> enable sites to get integrity support for ES modules in browsers that >>>>> don't >>>>> support import maps at all. That's an increasingly slim part of the >>>>> browser >>>>> population. >>>>> >>>>> >>>>> WebView application risks >>>>> >>>>> Does this intent deprecate or change behavior of existing APIs, such >>>>> that it has potentially high risk for Android WebView-based applications? >>>>> >>>>> >>>>> None >>>>> >>>>> >>>>> Debuggability >>>>> >>>>> No issues in particular. The feature does emit a few console errors in >>>>> cases where parsing fails, to help developers debug this. >>>>> >>>>> >>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>> Mac, Linux, ChromeOS, Android, and Android WebView)?Yes >>>>> >>>>> Is this feature fully tested by web-platform-tests >>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>> ?Yes >>>>> >>>>> https://chromium-review.googlesource.com/c/chromium/src/+/5441822 >>>>> >>>>> >>>>> Flag name on chrome://flagsNone >>>>> >>>>> Finch feature nameImportMapIntegrity >>>>> >>>>> Requires code in //chrome?False >>>>> >>>>> Tracking bughttps://issues.chromium.org/issues/334251999 >>>>> >>>>> MeasurementNo use-counter was added so far. If one is needed, I can >>>>> add it when flipping on the flag. >>>>> >>>>> >>>>> I decided to add a usecounter >>>>> <https://chromium-review.googlesource.com/c/chromium/src/+/5555942>. >>>>> >>>>> >>>>> >>>>> Availability expectationFeature is available in WebKit within a few >>>>> months of launch in Chromium, if not before. Still waiting on Mozilla's >>>>> position and plans. >>>>> >>>>> Adoption expectation >>>>> I expect web developers that want to rely on SRI for ES modules to use >>>>> the feature directly without requiring the polyfill. >>>>> >>>>> Adoption planUpdate MDN <https://github.com/mdn/mdn/issues/541> on >>>>> the integrity section. >>>>> >>>>> >>>>> MDN PR <https://github.com/mdn/content/pull/33712>. >>>>> >>>>> >>>>> >>>>> >>>>> Estimated milestonesShipping on desktop127Shipping on Android127Shipping >>>>> on WebView127 >>>>> >>>>> Anticipated spec changes >>>>> >>>>> Open questions about a feature may be a source of future web compat or >>>>> interop issues. Please list open issues (e.g. links to known github issues >>>>> in the project for the feature specification) whose resolution may >>>>> introduce web compat/interop risk (e.g., changing to naming or structure >>>>> of >>>>> the API in a non-backward-compatible way). >>>>> >>>>> >>>>> No open questions. >>>>> >>>>> Link to entry on the Chrome Platform Statushttps://chromestatus.com/ >>>>> feature/5157245026566144?gate=5203447331946496 >>>>> >>>>> Links to previous Intent discussionsIntent to prototype: >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/ >>>>> CAOaYce5MGsXBzw6K_py5yEj_Vx6o_%3DA4CecJm_gaAyU7H6wfPQ%40mail.gmail.com >>>>> >>>>> This intent message was generated by Chrome Platform Status >>>>> <https://chromestatus.com/>. >>>>> >>>>> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSKEJ3THh0priUxMe2qg17Z%2BGjo4ecedvnDwpwPQkNiuYg%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSKEJ3THh0priUxMe2qg17Z%2BGjo4ecedvnDwpwPQkNiuYg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/3f90fdca-8e32-4c01-9273-7247eddb7c52%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/3f90fdca-8e32-4c01-9273-7247eddb7c52%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXd2OHuOptmMSzUvYRsLdHsEDuxGYV2nAAyAiPzhuz9Gkj9Q%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXd2OHuOptmMSzUvYRsLdHsEDuxGYV2nAAyAiPzhuz9Gkj9Q%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/21b53524-971f-4e5d-8122-662c51617b3c%40sarasas.se > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/21b53524-971f-4e5d-8122-662c51617b3c%40sarasas.se?utm_medium=email&utm_source=footer> > . > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSLT8RJngKp-bExM_dtNoEZZKE1rNd0Fe2dyPYkq801cEw%40mail.gmail.com.
