Re: Subresource Integrity for Lazy-Loaded Resources from Guy Bedford on 2021-03-07 (public-webappsec@w3.org from March 2021)

From: Guy Bedford <guybedford@gmail.com>
Date: Sun, 7 Mar 2021 10:20:57 +0200
To: Yoav Weiss <yoav@yoav.ws>
Cc: Daniel Veditz <dveditz@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAGu7HE=rEWjkfabiztPFeJ6bm2zvMx5EnpsCho1ihDafqW_D0A@mail.gmail.com>

A practical example might look something like:

```html
<!doctype html>
<link rel="preload" as="script" href="/dependency.js"
integrity="<integrity>" />
<script type="module">
  import '/dependency.js';
  document.querySelector('button.cart').addEventListener('click', async ()
=> {
    document.head.appendChild(Object.assign(document.createElement('link'),
{ rel: 'stylesheet', href: '/cart.css' }));
    (await import('/cart.js')).render();
  });
</script>
```

Where having integrity for the files /cart.css and /cart.js is not possible
without inlining the integrity strings into JS code using a custom
mechanism.

With the proposal, something like the following two tags in the head would
support full integrity for the app:

<link rel="preload" as="script" milestone="lazy" href="/cart.js"
integrity="<integrity>" />
<link rel="preload" as="script" milestone="lazy" href="/cart.css"
integrity="<integrity>" />

I'm also open to a rel="integrity" or alternative mechanism that doesn't
conflate with preloading, but as a sort of edge case of a more general
preloading proposal like milestone it might make sense too.


On Sat, 6 Mar 2021 at 23:25, Yoav Weiss <yoav@yoav.ws> wrote:

>
>
> On Sat, Mar 6, 2021 at 8:55 PM Daniel Veditz <dveditz@mozilla.com> wrote:
>
>> I'm having trouble wrapping my head around the concept of using both
>> "preload" and "lazy loading" for the same resources -- don't those work at
>> cross-purposes? Could you write up a simple description or sketch of a
>> timeline of what happens when for these, in relation to other resources,
>> preloaded and not?
>>
>
> I think the goal here is more to "load" than to "preload".
>
> The approach of reusing preload here is definitely interesting...
> I think we can go about this in a couple of ways.
> One is to have those declarations only apply to integrity, in which case
> it may make sense to define a separate rel for them. e.g. <link
> rel=subresource integrity=0xbadbeef>.
> Another option is to use those declarations to actually load the resource.
> For that we could stick with preload and go with something like a
> milestone attribute
> <https://docs.google.com/document/d/15k6sLw3hscfsD1BD51FJ_qWLIOVziS33a3Ld-kB-G3w/edit#heading=h.x093xhzcx2f8> to
> help developers indicate *when* that resource is actually needed, and to
> avoid it getting in the way of more critical resources.
>
>
>> -Dan Veditz
>>
>

Received on Sunday, 7 March 2021 08:21:26 UTC