search

WICG / import-maps

How to control the behavior of JavaScript imports
https://html.spec.whatwg.org/multipage/webappapis.html#import-maps
Other
2.66k stars 69 forks source link

Import map scripts should support integrity #223

Closed guybedford closed 3 years ago

guybedford commented 3 years ago

I just tested the following under the current Chromium implementation:

<script type="importmap" integrity="sha384-invalid">
{
  "imports": {
    "module": "./module.js"
  }
}
</script>
<script type="module">
import m from 'module';
console.log(m);
</script>

and unfortunately it appears that the integrity check on the import map script itself is not applying.

I was under the impression that the CSP compatibility discussed in #105 would have enabled this.

Is this a spec or implementation bug? Would be good to follow up further as this seems pretty important.

domenic commented 3 years ago

It looks like this is working as intended. integrity="" is about fetch integrity; it modifies the fetch layer. It never works on inline scripts/styles/etc. importmap is the same as module or text/javascript in this regard.

This will work for external import maps (not implemented in Chrome at the moment), but it will not work for inline ones. This makes sense; the threat model for integrity="" is against network attackers, and there is no network involved when an inline import map is included.

It looks like there is a proposal from @mikewest to apply integrity checking to inline scripts, but it hasn't gotten multi-vendor interest, and there's a good deal of skepticism. https://github.com/w3c/webappsec-subresource-integrity/pull/86.

So I don't think there's much for the import maps spec to do here.

guybedford commented 3 years ago

Got it, thanks for the clarification. I will go ahead and implement integrity for src importmaps in SystemJS then. Agreed the inline case isn't necessary unless progress is made elsewhere on this.