[PROPOSAL] Provide a way to enforce integrity check on module imports

Hi all,

As proposed a year ago on an old repository (thanks to ljharb, noticed me
that fact), on the browser side, the integrity check should be controllable
**for each imported module**. Actually, it's just impossible to do it
without bundling.

https://github.com/tc39/proposal-dynamic-import/issues/76#issuecomment-494686580

What's your opinion on this, please?

Michaël Rouges - https://github.com/Lcfvs - @Lcfvs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20200801/5775df17/attachment.html>

That seems like something that could possibly be achieved via
https://github.com/tc39/proposal-import-assertions

On Sat, Aug 1, 2020 at 1:15 AM Michaël Rouges <michael.rouges at gmail.com>
wrote:

> Hi all,
>
> As proposed a year ago on an old repository (thanks to ljharb, noticed me
> that fact), on the browser side, the integrity check should be controllable
> **for each imported module**. Actually, it's just impossible to do it
> without bundling.
>
>
> https://github.com/tc39/proposal-dynamic-import/issues/76#issuecomment-494686580
>
> What's your opinion on this, please?
>
> Michaël Rouges - https://github.com/Lcfvs - @Lcfvs
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20200801/dbf13049/attachment.html>

The problem with inlining the integrity into every import site is that this
is naturally incompatible with import maps.

On Sat, 1 Aug 2020 at 08:57, Jordan Harband <ljharb at gmail.com> wrote:

> That seems like something that could possibly be achieved via
> https://github.com/tc39/proposal-import-assertions
>
> On Sat, Aug 1, 2020 at 1:15 AM Michaël Rouges <michael.rouges at gmail.com>
> wrote:
>
>> Hi all,
>>
>> As proposed a year ago on an old repository (thanks to ljharb, noticed me
>> that fact), on the browser side, the integrity check should be controllable
>> **for each imported module**. Actually, it's just impossible to do it
>> without bundling.
>>
>>
>> https://github.com/tc39/proposal-dynamic-import/issues/76#issuecomment-494686580
>>
>> What's your opinion on this, please?
>>
>> Michaël Rouges - https://github.com/Lcfvs - @Lcfvs
>> _______________________________________________
>> es-discuss mailing list
>> es-discuss at mozilla.org
>> https://mail.mozilla.org/listinfo/es-discuss
>>
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20200801/61b547d4/attachment.html>

Hi,

> The problem with inlining the integrity into every import site is that this
> is naturally incompatible with import maps.

I don't see a problem with that. When using import maps, you should be
able to specifiy the integrity check in the import map, not needing it
in the module itself.
When not using import maps, specifying the integrity in the importing
module itself seems to give the best developer experience, following the
rationale of
https://github.com/tc39/proposal-import-assertions#why-not-out-of-band.
When using it in *both* places, then of course both integrity checks
would need to match, and an import map would be prevented from swapping
out the module under your hands.

kind regards,
 Bergi

Maybe a convention between hosts to prefix an import with an integrity
check?
``` js
import foo from 'sha1sum:ef70d15a0700d2108e0df27dde750f5c682b4697!./foo.js';
```
It looks kinda of dirty, but the specification allows it (aside from the
colon character that is forbidden right now)

This types of urls remember me of a past time when bundlers used to have
loaders prefixes, like `import style from 'css-loader:./styles.css'`

Em sáb., 1 de ago. de 2020 às 14:33, Bergi <a.d.bergi at web.de> escreveu:

> Hi,
>
> > The problem with inlining the integrity into every import site is that
> this
> > is naturally incompatible with import maps.
>
> I don't see a problem with that. When using import maps, you should be
> able to specifiy the integrity check in the import map, not needing it
> in the module itself.
> When not using import maps, specifying the integrity in the importing
> module itself seems to give the best developer experience, following the
> rationale of
> https://github.com/tc39/proposal-import-assertions#why-not-out-of-band.
> When using it in *both* places, then of course both integrity checks
> would need to match, and an import map would be prevented from swapping
> out the module under your hands.
>
> kind regards,
>  Bergi
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
>


-- 
Atenciosamente,

Augusto Borges de Moura
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20200801/9a5909c5/attachment-0001.html>