Is it possible to do SRI on importScripts in JS?

[ghost]

I got the following line of code in my service worker:

importScripts('https://storage.googleapis.com/workbox-cdn/releases/3.2.0/workbox-sw.js');

I was wondering if it was possible to add SRI protection to it or not?

[mikewest]

Not today, unfortunately. It does seem like the a good thing to poke at. AFAIK, there were proposals floating around a while ago when module scripts were being defined. @domenic might know where they ended up?

[domenic]

I presented https://docs.google.com/presentation/d/1qfoLTniLUVJ5YNFrha7BaVumAnW0ZgcCfUU8UbyyuYY/edit?usp=sharing to TC39 a while back. The conclusion was that we should work on some out of band URL -> fetch options map (option 2). Since then, though, nobody has really done that work.

[freshp86]

cc @danbeam

Has there been any progress on this issue?

FWIW, I run into this when trying to leverage JS modules within Chrome's NTP page https://chromium-review.googlesource.com/c/chromium/src/+/1590547, which uses SRI.