-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add subresource integrity support for ES modules, through importmaps #10269
Conversation
Some initial comments:
|
Thanks for taking a look!
That's a good point, and I'm currently using the resolved URLs as the keys to the internal lookup, which is admittedly a bit awkward. Moving to use the URLs explicitly makes sense to me, and will simplify the code a bit.
Good point, I missed adding it. Will do!
Yeah, I was planning on testing static imports as well (but ran out of power on the flight :P). Will add that before this will all be ready for review. |
@domenic - I believe this is now ready for review. Also, I marked Chromium as supportive given that I'm implementing this, but let me know if that requires more explicit support from the Chrome team. |
(Also, PR preview doesn't seem to update to the latest version for some reason) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exciting!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for reviewing!! Addressing some of the comments, to clear things up for the rest :)
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
The explainer says:
But in the current PR (as well as the draft CL) the import-map-originating hashes are NOT applied to
Is this intentional, or spec/impl should be fixed? |
I slightly lean toward the version we have now where it only applies to "imports", not other "module loads". But, I don't feel strongly. @guybedford and other @whatwg/modules people, do you have thoughts? |
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
Has been great to follow this PR, excited to see this one. I think supporting the import map integrity for top-level script loads would be useful. If we are to consider the import map as the source of truth, then updating the import map is enough to update all usage, without having to update every module script reference point. So it would be a net reduction in workflow friction. Implementation would be as described where explicit integrity on a tag acts as an override. If we ever support explicit integrity in import attributes one might expect similar there as well so it isn't necessarily unique to the top-level. If going in that direction, preloads could be nice to support as well, to avoid needing to prune the import map integrity to the non-preloaded graph when generating preloads. While we are working through edge cases - I assume this all applies equally to JSON imports? It would be good to ensure that is tested as well. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pretty much all minor editorial things at this point, although we have a normative discussion about the interaction with other entry points too.
I find this relatively compelling and in the absence of any counterarguments I'd switch to weakly being in favor of supporting this case. I think the parts of the spec to modify are just the call sites of "fetch an external module script graph" and "fetch a modulepreload module script graph".
To be clear, I think we should support modulepreload, but not preload. (Or prefetch, or If this is too confusing then maybe it's reason to reconsider... After all, we need to be cautious about @hiroshige-g's concern at https://groups.google.com/a/chromium.org/g/blink-dev/c/O2UR3kb-HcI/m/tWgtOEixAQAJ .
+1. It should work per spec, and adding one or two tests for JSON and CSS module scripts would be great. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!!
SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999
I agree, but it seems like CSS and JSON module scripts are not at all tested with import maps (unless I'm missing something). |
It might be cleaner to override the integrity metadata inside these calls in case it's the empty string (rather than at the call sites). WDYT? |
I think only the call sites will know whether the attribute is absent (should fall back) or the empty string (should probably use the empty string)? |
This reverts commit b4e94b6.
15726a7
to
5996082
Compare
@annevk - any blockers/concerns for landing this? |
…ules, using importmaps, a=testonly Automatic update from web-platform-tests Subresource Integrity support for ES modules, using importmaps (#45638) SRI support for ES modules enables using them in documents that require SRI for certain scripts for security reasons, as well as with the move overarching require-sri-for CSP directive. This CL implements whatwg/html#10269 based on https://github.com/guybedford/import-maps-extensions#integrity I2P: https://groups.google.com/a/chromium.org/g/blink-dev/c/O2UR3kb-HcI/m/7Jh7_GYsAAAJ?utm_medium=email&utm_source=footer Change-Id: Ida563334048d013ffc658f9783f9401930dd4689 Bug: 334251999 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5441822 Reviewed-by: Domenic Denicola <domenic@chromium.org> Commit-Queue: Yoav Weiss (@Shopify) <yoavweiss@chromium.org> Cr-Commit-Position: refs/heads/main@{#1297376} Co-authored-by: Yoav Weiss <yoavweiss@chromium.org> -- wpt-commits: 7daf23a6329f4577bc3723d5e25eae8eae26e710 wpt-pr: 45638
https://bugs.webkit.org/show_bug.cgi?id=272884 Reviewed by Ryosuke Niwa. Imported ES modules can't currently have integrity checks, which means they can't be used in sites where integrity checks are a necessity, for security and privacy reasons. This implements such support, by adding an "integrity" section to import maps. See whatwg/html#10269 * LayoutTests/TestExpectations: Ignored console logs to avoid flakiness * LayoutTests/imported/w3c/web-platform-tests/import-maps/WEB_FEATURES.yml: Added. * LayoutTests/imported/w3c/web-platform-tests/import-maps/data-driven/resources/test-helper.js: (createTestIframe): Updated through import. * LayoutTests/imported/w3c/web-platform-tests/import-maps/dynamic-integrity-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/import-maps/dynamic-integrity.html: Added. * LayoutTests/imported/w3c/web-platform-tests/import-maps/no-referencing-script-integrity-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/import-maps/no-referencing-script-integrity-valid-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/import-maps/no-referencing-script-integrity-valid.html: Added. * LayoutTests/imported/w3c/web-platform-tests/import-maps/no-referencing-script-integrity.html: Added. * LayoutTests/imported/w3c/web-platform-tests/import-maps/nonimport-integrity-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/import-maps/nonimport-integrity.html: Added. * LayoutTests/imported/w3c/web-platform-tests/import-maps/static-integrity-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/import-maps/static-integrity.html: Added. * LayoutTests/imported/w3c/web-platform-tests/import-maps/w3c-import.log: Imports. * LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-resources.https-expected.txt: Updated. * LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-resources.https.html: Updated to cover Request.integrity. * LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/resources/fetch-request-resources-iframe.https.html: Updated to cover Request.integrity. * LayoutTests/platform/glib/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-resources.https-expected.txt: Updated. * Source/JavaScriptCore/runtime/ImportMap.cpp: (JSC::ImportMap::resolveImportMatch): Typos and spec link. (JSC::parseURLLikeModuleSpecifier): Typos and spec link. (JSC::ImportMap::resolve const): Typos and spec link. (JSC::normalizeSpecifierKey): Typos and spec link. (JSC::sortAndNormalizeSpecifierMap): Typos and spec link. (JSC::ImportMap::registerImportMap): Add parsing for the integrity section. (JSC::ImportMap::getIntegrity const): Getter for integrity based on URL. * Source/JavaScriptCore/runtime/ImportMap.h: * Source/WebCore/bindings/js/ScriptModuleLoader.cpp: (WebCore::ScriptModuleLoader::importModule): Add integrity to outgoing requests. (WebCore::ScriptModuleLoader::notifyFinished): Enforce integrity from the importmap on responses, even if integrity wasn't present in the request. Needed for static imports triggered by JSCore. * Source/WebCore/dom/ScriptElement.cpp: (WebCore::ScriptElement::requestModuleScript): Add integrity to outgoing requests for top-level modules, if they don't already have an integrity attribute. Canonical link: https://commits.webkit.org/279096@main
Two weeks have almost passed :) |
Hi Yoav, thanks, just emailed the stakeholders on our side to collect a final round of opinions. |
Since all the requirements of our process have been met, I plan to merge this in ~24 hours. |
Based on a proposal by @guybedford.
SRI support for ES module imports would enable using them in documents that require SRI for certain scripts for security or privacy reasons.
(See WHATWG Working Mode: Changes for more details.)
/infrastructure.html ( diff )
/links.html ( diff )
/scripting.html ( diff )
/webappapis.html ( diff )