W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2021

Re: Subresource Integrity for Lazy-Loaded Resources

From: Guy Bedford <guybedford@gmail.com>
Date: Sun, 7 Mar 2021 10:20:57 +0200
Message-ID: <CAGu7HE=rEWjkfabiztPFeJ6bm2zvMx5EnpsCho1ihDafqW_D0A@mail.gmail.com>
To: Yoav Weiss <yoav@yoav.ws>
Cc: Daniel Veditz <dveditz@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
A practical example might look something like:

<!doctype html>
<link rel="preload" as="script" href="/dependency.js"
integrity="<integrity>" />
<script type="module">
  import '/dependency.js';
  document.querySelector('button.cart').addEventListener('click', async ()
=> {
{ rel: 'stylesheet', href: '/cart.css' }));
    (await import('/cart.js')).render();

Where having integrity for the files /cart.css and /cart.js is not possible
without inlining the integrity strings into JS code using a custom

With the proposal, something like the following two tags in the head would
support full integrity for the app:

<link rel="preload" as="script" milestone="lazy" href="/cart.js"
integrity="<integrity>" />
<link rel="preload" as="script" milestone="lazy" href="/cart.css"
integrity="<integrity>" />

I'm also open to a rel="integrity" or alternative mechanism that doesn't
conflate with preloading, but as a sort of edge case of a more general
preloading proposal like milestone it might make sense too.

On Sat, 6 Mar 2021 at 23:25, Yoav Weiss <yoav@yoav.ws> wrote:

> On Sat, Mar 6, 2021 at 8:55 PM Daniel Veditz <dveditz@mozilla.com> wrote:
>> I'm having trouble wrapping my head around the concept of using both
>> "preload" and "lazy loading" for the same resources -- don't those work at
>> cross-purposes? Could you write up a simple description or sketch of a
>> timeline of what happens when for these, in relation to other resources,
>> preloaded and not?
> I think the goal here is more to "load" than to "preload".
> The approach of reusing preload here is definitely interesting...
> I think we can go about this in a couple of ways.
> One is to have those declarations only apply to integrity, in which case
> it may make sense to define a separate rel for them. e.g. <link
> rel=subresource integrity=0xbadbeef>.
> Another option is to use those declarations to actually load the resource.
> For that we could stick with preload and go with something like a
> milestone attribute
> <https://docs.google.com/document/d/15k6sLw3hscfsD1BD51FJ_qWLIOVziS33a3Ld-kB-G3w/edit#heading=h.x093xhzcx2f8> to
> help developers indicate *when* that resource is actually needed, and to
> avoid it getting in the way of more critical resources.
>> -Dan Veditz
Received on Sunday, 7 March 2021 08:21:26 UTC

This archive was generated by hypermail 2.4.0 : Sunday, 7 March 2021 08:21:27 UTC