Currently, importBundle supports computeSourceMapURL and the provided implementation for Node.js uses the hash of the transformed source (the content that is in the bundle and readily verified) to unite a debugger with the original sources. The source map captures both the transformation and the original sourceURL.
Multiple original sources converge on the same transformed source, which creates collisions in the source map.
We must also preserve the invariant that the hash of a bundle is the same regardless of the user that generated the bundle, so the compartment map must not entrain any property that varies with the physical location of the original files.
We could capture the hash of the original source in the compartment-map. That would be sufficient to show the right transformation, but if the source-map contains the source-URL, there will be collisions. For example the following module likely exists verbatim in multiple physical locations. These will generate the same source map, but the source map contains the source URL and that will vary.
export * from './src/index.js';
We could fold the the package name and path into the “source map hash” without disrupting the ability of an auditor and developer to converge on the same bundle hash.
What is the Problem Being Solved?
Currently,
importBundle
supportscomputeSourceMapURL
and the provided implementation for Node.js uses the hash of the transformed source (the content that is in the bundle and readily verified) to unite a debugger with the original sources. The source map captures both the transformation and the original sourceURL.Multiple original sources converge on the same transformed source, which creates collisions in the source map.
We must also preserve the invariant that the hash of a bundle is the same regardless of the user that generated the bundle, so the compartment map must not entrain any property that varies with the physical location of the original files.
We could capture the hash of the original source in the compartment-map. That would be sufficient to show the right transformation, but if the source-map contains the source-URL, there will be collisions. For example the following module likely exists verbatim in multiple physical locations. These will generate the same source map, but the source map contains the source URL and that will vary.
We could fold the the package name and path into the “source map hash” without disrupting the ability of an auditor and developer to converge on the same bundle hash.
Description of the Design
Security Considerations
Scaling Considerations
Test Plan
Upgrade Considerations