Intent to Ship: Importmap integrity

421 views
Skip to first unread message

Yoav Weiss (@Shopify)

unread,
May 21, 2024, 7:04:44 AMMay 21
to blink-dev, guybe...@gmail.com

Contact emails

yoav...@chromium.org

Explainer

https://github.com/guybedford/import-maps-extensions#integrity

Specification

https://github.com/whatwg/html/pull/10269

The PR is ready to land, but we're holding off on that for 2 weeks at Mozilla's request. See below.

Summary

Imported ES modules can't currently have their integrity checked, and hence cannot run in environments that require Subresource Integrity or with `require-sri-for` CSP directives. This feature adds an `integrity` section to import maps, enabling developers to map ES module URLs to their integrity metadata, and ensure they only load when they match their expected hashes.



Blink component

Blink>Loader

TAG review

https://github.com/w3ctag/design-reviews/issues/944

TAG review status

Issues addressed

Risks



Interoperability and Compatibility

On the interoperability front, this got a positive position from WebKit, and I'm implementing the feature there. Mozilla didn't object to the feature, but asked for a couple more weeks to evaluate it and provide a position, as they might be planning broader-scope work on the front of application integrity, and want to make sure this doesn't collide with it.


On the compatibility front, the feature is polyfilled, but it's turned off for browsers that support import maps.


Adding Guy Bedford, the polyfill author to this thread. Guy, can you confirm this is the case?


Gecko: No signal

WebKit: Support

Web developers: Positive
This is based on a proposal from a developer (Guy Bedford). 
Multiple Shopify properties are interested in this, to enable using ES modules as bundler output in security sensitive environments. Asking about this on twitter and mastodon showed that some developers are interested in this, while others discount SRI in general.

Other signals:

Activation

As long as support is not ubiquitous, the `integrity` part of import maps will be ignored in non-supporting browsers, resulting in scripts loading in those browsers even if they're supposed to fail their integrity checks.

There's also a polyfill that would enable sites to get integrity support for ES modules in browsers that don't support import maps at all. That's an increasingly slim part of the browser population.



WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?


None



Debuggability

No issues in particular. The feature does emit a few console errors in cases where parsing fails, to help developers debug this.



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes

https://chromium-review.googlesource.com/c/chromium/src/+/5441822



Flag name on chrome://flags

None

Finch feature name

ImportMapIntegrity

Requires code in //chrome?

False

Tracking bug

https://issues.chromium.org/issues/334251999

Measurement

No use-counter was added so far. If one is needed, I can add it when flipping on the flag.

Availability expectation

Feature is available in WebKit within a few months of launch in Chromium, if not before. Still waiting on Mozilla's position and plans.

Adoption expectation

I expect web developers that want to rely on SRI for ES modules to use the feature directly without requiring the polyfill.

Adoption plan

Update MDN on the integrity section.

Estimated milestones

Shipping on desktop127
Shipping on Android127
Shipping on WebView127


Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).


No open questions.

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5157245026566144?gate=5203447331946496

Links to previous Intent discussions

Intent to prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOaYce5MGsXBzw6K_py5yEj_Vx6o_%3DA4CecJm_gaAyU7H6wfPQ%40mail.gmail.com

This intent message was generated by Chrome Platform Status.

Yoav Weiss (@Shopify)

unread,
May 22, 2024, 4:28:58 AMMay 22
to blink-dev, Yoav Weiss, guybe...@gmail.com


On Tuesday, May 21, 2024 at 1:04:44 PM UTC+2 Yoav Weiss wrote:

The PR is ready to land, but we're holding off on that for 2 weeks at Mozilla's request. See below.

Summary

Imported ES modules can't currently have their integrity checked, and hence cannot run in environments that require Subresource Integrity or with `require-sri-for` CSP directives. This feature adds an `integrity` section to import maps, enabling developers to map ES module URLs to their integrity metadata, and ensure they only load when they match their expected hashes.



Blink componentBlink>Loader

TAG reviewhttps://github.com/w3ctag/design-reviews/issues/944

TAG review statusIssues addressed


Risks


Interoperability and Compatibility

On the interoperability front, this got a positive position from WebKit, and I'm implementing the feature there. Mozilla didn't object to the feature, but asked for a couple more weeks to evaluate it and provide a position, as they might be planning broader-scope work on the front of application integrity, and want to make sure this doesn't collide with it.


On the compatibility front, the feature is polyfilled, but it's turned off for browsers that support import maps.


Adding Guy Bedford, the polyfill author to this thread. Guy, can you confirm this is the case?


Gecko: No signal

WebKit: Support
 
WebKit PR has landed.
 


Web developers: Positive
This is based on a proposal from a developer (Guy Bedford). 
Multiple Shopify properties are interested in this, to enable using ES modules as bundler output in security sensitive environments. Asking about this on twitter and mastodon showed that some developers are interested in this, while others discount SRI in general.

Other signals:

Activation

As long as support is not ubiquitous, the `integrity` part of import maps will be ignored in non-supporting browsers, resulting in scripts loading in those browsers even if they're supposed to fail their integrity checks.

There's also a polyfill that would enable sites to get integrity support for ES modules in browsers that don't support import maps at all. That's an increasingly slim part of the browser population.



WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?


None



Debuggability

No issues in particular. The feature does emit a few console errors in cases where parsing fails, to help developers debug this.



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?Yes

Is this feature fully tested by web-platform-tests?Yes

https://chromium-review.googlesource.com/c/chromium/src/+/5441822



Flag name on chrome://flagsNone

Finch feature nameImportMapIntegrity

Requires code in //chrome?False

Tracking bughttps://issues.chromium.org/issues/334251999

MeasurementNo use-counter was added so far. If one is needed, I can add it when flipping on the flag.

I decided to add a usecounter



Availability expectationFeature is available in WebKit within a few months of launch in Chromium, if not before. Still waiting on Mozilla's position and plans.

Adoption expectation
I expect web developers that want to rely on SRI for ES modules to use the feature directly without requiring the polyfill.

Adoption planUpdate MDN on the integrity section.

MDN PR.
 


Estimated milestonesShipping on desktop127Shipping on Android127Shipping on WebView127


Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).


No open questions.

Yoav Weiss (@Shopify)

unread,
May 22, 2024, 5:16:12 AMMay 22
to blink-dev, Panos Astithas, guybe...@gmail.com
On Wed, May 22, 2024 at 10:29 AM Yoav Weiss (@Shopify) <yoav...@chromium.org> wrote:


On Tuesday, May 21, 2024 at 1:04:44 PM UTC+2 Yoav Weiss wrote:
Contact emailsyoav...@chromium.org

Explainerhttps://github.com/guybedford/import-maps-extensions#integrity

Specificationhttps://github.com/whatwg/html/pull/10269

The PR is ready to land, but we're holding off on that for 2 weeks at Mozilla's request. See below.

Summary

Imported ES modules can't currently have their integrity checked, and hence cannot run in environments that require Subresource Integrity or with `require-sri-for` CSP directives. This feature adds an `integrity` section to import maps, enabling developers to map ES module URLs to their integrity metadata, and ensure they only load when they match their expected hashes.



Blink componentBlink>Loader

TAG reviewhttps://github.com/w3ctag/design-reviews/issues/944

TAG review statusIssues addressed

Risks


Interoperability and Compatibility

On the interoperability front, this got a positive position from WebKit, and I'm implementing the feature there. Mozilla didn't object to the feature, but asked


I just realized that the meeting notes are not publicly viewable.
+Panos Astithas - would you be able to open them up to the public somehow? (e.g. as a Chromium.org doc)

Ilya Grigorik

unread,
May 22, 2024, 10:21:51 AMMay 22
to blink-dev, yoav...@chromium.org, guybe...@gmail.com
Kudos, Yoav! Excited to see rapid progress on this: Webkit PR is merged \o/, hoping to see this in M127, and fingers crossed for fast follow with FF.

As background context and motivation, this is an important building block for enabling PCIv4 compliance for ecomm sites. v4 requires that the page that includes/embeds payment elements provides auth+integrity guarantees for all scripts executing in the parent, and importmap integrity is one of the missing pieces to enable that. We need and plan to leverage this for checkout at Shopify, and I'm sure other ecomm sites and platforms will need it too. For broader context on v4, see: https://www.shopify.com/in/partners/blog/checkout-compliance

ig

Mike Taylor

unread,
May 22, 2024, 9:39:59 PMMay 22
to Yoav Weiss (@Shopify), guybe...@gmail.com, blink-dev, Panos Astithas

I'm inclined to LGTM this now - but don't see a lot of harm waiting for 1 additional week (per Mozilla's request in the not-public minutes). Happy to do so before, so long as the HTML PR lands.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSK%3D6VEeSaicP7b1m47btcd7q3dBTR9AoL241bgSPZD7Gw%40mail.gmail.com.

Alex Russell

unread,
May 24, 2024, 11:57:32 AMMay 24
to Mike Taylor, Yoav Weiss (@Shopify), guybe...@gmail.com, blink-dev, Panos Astithas
I'm also not sure why we would wait.

That said, if we're expanding SRI, it would be great to see media resources included. Won't block this intent on it, but for architectural consistency want to flag that we aren't "done".

Panos Astithas

unread,
May 24, 2024, 1:12:30 PMMay 24
to Yoav Weiss (@Shopify), blink-dev, guybe...@gmail.com
On Wed, May 22, 2024 at 2:16 AM Yoav Weiss (@Shopify) <yoav...@chromium.org> wrote:


On Wed, May 22, 2024 at 10:29 AM Yoav Weiss (@Shopify) <yoav...@chromium.org> wrote:


On Tuesday, May 21, 2024 at 1:04:44 PM UTC+2 Yoav Weiss wrote:
Contact emailsyoav...@chromium.org

Explainerhttps://github.com/guybedford/import-maps-extensions#integrity

Specificationhttps://github.com/whatwg/html/pull/10269

The PR is ready to land, but we're holding off on that for 2 weeks at Mozilla's request. See below.

Summary

Imported ES modules can't currently have their integrity checked, and hence cannot run in environments that require Subresource Integrity or with `require-sri-for` CSP directives. This feature adds an `integrity` section to import maps, enabling developers to map ES module URLs to their integrity metadata, and ensure they only load when they match their expected hashes.



Blink componentBlink>Loader

TAG reviewhttps://github.com/w3ctag/design-reviews/issues/944

TAG review statusIssues addressed

Risks


Interoperability and Compatibility

On the interoperability front, this got a positive position from WebKit, and I'm implementing the feature there. Mozilla didn't object to the feature, but asked


I just realized that the meeting notes are not publicly viewable.
+Panos Astithas - would you be able to open them up to the public somehow? (e.g. as a Chromium.org doc)

They were published that same day, we try to post the minutes publicly in less than 24 hours.

Yoav Weiss (@Shopify)

unread,
May 24, 2024, 3:12:22 PMMay 24
to Alex Russell, Mike Taylor, guybe...@gmail.com, blink-dev, Panos Astithas
On Fri, May 24, 2024 at 5:57 PM Alex Russell <sligh...@chromium.org> wrote:
I'm also not sure why we would wait.

Waiting a few more days won't change much, so it's perfectly fine.


That said, if we're expanding SRI, it would be great to see media resources included. Won't block this intent on it, but for architectural consistency want to flag that we aren't "done".

I agree in principle, but media resources are more complex, as they can be "executed" progressively. 
SRI in its current form would mean they are inherently slower, and expanding SRI to enable something like Merkle-Tree-based hashes seems like a significant expansion.
At the same time, maybe Mozilla's plans around application integrity would cover that use case.

Yoav Weiss (@Shopify)

unread,
May 24, 2024, 3:13:35 PMMay 24
to Panos Astithas, blink-dev, guybe...@gmail.com
On Fri, May 24, 2024 at 7:12 PM Panos Astithas <past...@google.com> wrote:


On Wed, May 22, 2024 at 2:16 AM Yoav Weiss (@Shopify) <yoav...@chromium.org> wrote:


On Wed, May 22, 2024 at 10:29 AM Yoav Weiss (@Shopify) <yoav...@chromium.org> wrote:


On Tuesday, May 21, 2024 at 1:04:44 PM UTC+2 Yoav Weiss wrote:
Contact emailsyoav...@chromium.org

Explainerhttps://github.com/guybedford/import-maps-extensions#integrity

Specificationhttps://github.com/whatwg/html/pull/10269

The PR is ready to land, but we're holding off on that for 2 weeks at Mozilla's request. See below.

Summary

Imported ES modules can't currently have their integrity checked, and hence cannot run in environments that require Subresource Integrity or with `require-sri-for` CSP directives. This feature adds an `integrity` section to import maps, enabling developers to map ES module URLs to their integrity metadata, and ensure they only load when they match their expected hashes.



Blink componentBlink>Loader

TAG reviewhttps://github.com/w3ctag/design-reviews/issues/944

TAG review statusIssues addressed

Risks


Interoperability and Compatibility

On the interoperability front, this got a positive position from WebKit, and I'm implementing the feature there. Mozilla didn't object to the feature, but asked


I just realized that the meeting notes are not publicly viewable.
+Panos Astithas - would you be able to open them up to the public somehow? (e.g. as a Chromium.org doc)

They were published that same day, we try to post the minutes publicly in less than 24 hours.

Oops!! My bad for using the wrong artifact! 

Mike Taylor

unread,
May 29, 2024, 11:42:00 AMMay 29
to Yoav Weiss (@Shopify), Panos Astithas, blink-dev, guybe...@gmail.com

LGTM1

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Vladimir Levin

unread,
May 30, 2024, 1:41:29 PMMay 30
to Mike Taylor, Yoav Weiss (@Shopify), Panos Astithas, blink-dev, guybe...@gmail.com

Chris Harrelson

unread,
May 30, 2024, 2:57:31 PMMay 30
to Vladimir Levin, Mike Taylor, Yoav Weiss (@Shopify), Panos Astithas, blink-dev, guybe...@gmail.com

Daniel Bratell

unread,
Jun 4, 2024, 3:29:48 AM (12 days ago) Jun 4
to Vladimir Levin, Mike Taylor, Yoav Weiss (@Shopify), Panos Astithas, blink-dev, guybe...@gmail.com

Daniel Bratell

unread,
Jun 4, 2024, 3:30:58 AM (12 days ago) Jun 4
to Vladimir Levin, Mike Taylor, Yoav Weiss (@Shopify), Panos Astithas, blink-dev, guybe...@gmail.com

Doh, make that a bonus LGTM4. Sorry for the confusion.

/Daniel

Yoav Weiss (@Shopify)

unread,
Jun 4, 2024, 3:33:05 AM (12 days ago) Jun 4
to Daniel Bratell, Vladimir Levin, Mike Taylor, Panos Astithas, blink-dev, guybe...@gmail.com
Thanks for the extra support :)
Reply all
Reply to author
Forward
0 new messages