Open Fil opened 7 months ago
I had to turn this off because +esm
isn’t compatible with sri; the contents can change. So this probably needs to be paired with #20 to download the modules themselves and thereby guarantee that they can’t change.
Does this even matter anymore since everything is now self-hosted? The scenario where an attackers hacks into the scripts is at the same threat level as an attacker hacks into the website.
I think it’s a lot less important, certainly. I don’t know if there’s a compelling use case if everything is self-hosted, but we could in theory still support it.
We could add subresource integrity hashes to scripts (and stylesheets?).
Related:
20
303