[w3ctag/design-reviews] Importmap integrity (Issue #944)

こんにちは TAG-さん!

I'm requesting a TAG review of Importmap integrity - enabling subresource integrity checks on ES module imports.

Since modules initiate requests, there is a need for the ability to specify the integrity of dependencies, and not just the top level <script type="module"> integrity which can be supported via traditional means.

For specifiers like import 'pkg' that are controlled by import maps, the problem is that the import map is fully responsible for the resolved module and hence the integrity of the resolved module as well.

Without a mechanism to specify integrity, it is not currently possible to use module dependencies with require-sri-for Content Security Policy where those module dependencies are loaded lazily so that the integrity cannot be set via the module script tag or link preload tag directly.

  - Explainer¹ (minimally containing user needs and example code): https://github.com/guybedford/import-maps-extensions?tab=readme-ov-file#integrity
  - Specification URL: https://github.com/whatwg/html/pull/10269
  - Tests: [dynamic module imports](https://chromium-review.googlesource.com/c/chromium/src/+/5441822/6/third_party/blink/web_tests/external/wpt/import-maps/dynamic-integrity.html), 
[static module imports](https://chromium-review.googlesource.com/c/chromium/src/+/5441822/6/third_party/blink/web_tests/external/wpt/import-maps/static-integrity.html).
  - User research: N/A
  - Security and Privacy self-review²: [url]
  - GitHub repo (if you prefer feedback filed there): [url]
  - Primary contacts (and their relationship to the specification):
      - Yoav Weiss (@yoavweiss), Shopify
  - Organization(s)/project(s) driving the specification: Shopify
  - Key pieces of existing multi-stakeholder (e.g. developers, implementers, civil society) support, review or discussion of this specification:
    - Chromium comments: I'm [implementing](https://chromium-review.googlesource.com/c/chromium/src/+/5441822) the feature in Chromium. 
    - Mozilla comments: https://github.com/mozilla/standards-positions/issues/1010
    - WebKit comments: https://github.com/WebKit/standards-positions/issues/335
    - Developers: 
       - This is based on a proposal from a developer (@guybedford).
       - Multiple Shopify properties are interested in this, to enable using ES modules as bundler output in security sensitive environments.
       - Asking about this on [twitter](https://twitter.com/yoavweiss/status/1778067431417954803) and [mastodon](https://mastodon.social/@Yoav/112247393918965759) showed that some developers are interested in this, while others discount SRI in general. 
  - External status/issue trackers for this specification (publicly visible, e.g. Chrome Status):

Further details:

  - [x] I have reviewed the TAG's [Web Platform Design Principles](https://www.w3.org/TR/design-principles/)
  - Relevant time constraints or deadlines: As this is a small addition to the platform which enables significant architectural improvement to JS based deployments, I'd like to ship this rather soon. With that said, no strict deadline.
  - The group where the work on this specification is currently being done: WHATWG
  - The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue):
  - Major unresolved issues with or opposition to this specification: None
  - This work is being funded by: Shopify

TBD:
* Chrome status link
* Privacy questionnaire
* Chrome team support (if needed)

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/944
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/944@github.com>