Hello webkit-dev, For the last couple of years myself some other Chrome folks have been working on the import maps proposal. This allows controlling the behavior of JavaScript import statements and import() expressions, in particular by allowing the page to customize the translation of the module specifiers used there into URLs. Developer reception of the feature has been very positive, with continual prompting for when it'll be widely available in more browsers, and a plethora of community-created tools and polyfills. Chrome is working toward shipping this in an imminent release, and we'd love any thoughts or contributions from the WebKit community. Relevant links: * Explainer: https://github.com/WICG/import-maps/blob/master/README.md * Spec (would eventually merge into HTML upon multi-implementer interest): https://wicg.github.io/import-maps/ * Test suite: https://github.com/web-platform-tests/wpt/tree/master/import-maps/ (although getting rearranged a good bit in https://github.com/web-platform-tests/wpt/pull/26239 ) * Mozilla standards position discussion, with lots of web developers contributing: https://github.com/mozilla/standards-positions/issues/146 * Some gathered evidence of developer interest: https://github.com/WICG/import-maps#community-polyfills-and-tooling Thanks for your time! -Domenic
On Tue, Oct 27, 2020 at 2:23 PM Domenic Denicola <d@domenic.me> wrote:
For the last couple of years myself some other Chrome folks have been working on the import maps proposal. This allows controlling the behavior of JavaScript import statements and import() expressions, in particular by allowing the page to customize the translation of the module specifiers used there into URLs. Developer reception of the feature has been very positive, with continual prompting for when it'll be widely available in more browsers, and a plethora of community-created tools and polyfills.
Chrome is working toward shipping this in an imminent release, and we'd love any thoughts or contributions from the WebKit community.
How does this feature supposed to work with CSP subresource integrity? As far as I've read various specs and the proposal, it's not currently possible to specify any integrity checks on modules loaded via import this. This is a pretty serious downside because it would mean that any remote server ever referenced by an import map becomes a security liability for a given website. It's a lot worse compared to normal scripts because of the action-at-a-distance of import maps. There is no indication that a given module import could involve access to cross-origin servers isn't obvious from where the import statement appears. - R. Niwa
Thanks for your response Ryosuke! From: Ryosuke Niwa <rniwa@webkit.org>
How does this feature supposed to work with CSP subresource integrity? As far as I've read various specs and the proposal, it's not currently possible to specify any integrity checks on modules loaded via import this. This is a pretty serious downside because it would mean that any remote server ever referenced by an import map becomes a security liability for a given website. It's a lot worse compared to normal scripts > because of the action-at-a-distance of import maps. There is no indication that a given module import could involve access to cross-origin servers isn't obvious from where the import statement appears.
Correct, this proposal does not change the status quo regarding models and CSP integrity integration. I can understand how import maps might increase the priority of improving CSP in that way for WebKit, and I imagine the webappsec group would welcome any collaboration on solving that. There are even proposals from community members to piggyback on the import map's <script> to solve this long-standing problem: see https://github.com/guybedford/import-maps-extensions#integrity. Hope this helps! -Domenic
Hi all, I realized that there wasn’t a WebKit bug asking for import maps support (<script type="importmap">), so I created one: https://bugs.webkit.org/show_bug.cgi?id=220823. Thanks for your consideration! Cheers, Tom -- Thomas Steiner, PhD—Developer Advocate (https://blog.tomayac.com, https://twitter.com/tomayac) Google Germany GmbH, ABC-Str. 19, 20354 Hamburg, Germany Geschäftsführer: Paul Manicle, Halimah DeLaine Prado Registergericht und -nummer: Hamburg, HRB 86891 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.23 (GNU/Linux) iFy0uwAntT0bE3xtRa5AfeCheCkthAtTh3reSabiGbl0ck0fjumBl3DCharaCTersAttH3b0ttom. hTtPs://xKcd.cOm/1181/ -----END PGP SIGNATURE-----
participants (3)
-
Domenic Denicola
-
Ryosuke Niwa
-
Thomas Steiner