[webkit-dev] Request for position on import maps

Ryosuke Niwa rniwa at webkit.org
Tue Oct 27 22:28:00 PDT 2020


On Tue, Oct 27, 2020 at 2:23 PM Domenic Denicola <d at domenic.me> wrote:
>
> For the last couple of years myself some other Chrome folks have been working on the import maps proposal. This allows controlling the behavior of JavaScript import statements and import() expressions, in particular by allowing the page to customize the translation of the module specifiers used there into URLs. Developer reception of the feature has been very positive, with continual prompting for when it'll be widely available in more browsers, and a plethora of community-created tools and polyfills.
>
> Chrome is working toward shipping this in an imminent release, and we'd love any thoughts or contributions from the WebKit community.

How does this feature supposed to work with CSP subresource integrity?
As far as I've read various specs and the proposal, it's not currently
possible to specify any integrity checks on modules loaded via import
this. This is a pretty serious downside because it would mean that any
remote server ever referenced by an import map becomes a security
liability for a given website. It's a lot worse compared to normal
scripts because of the action-at-a-distance of import maps. There is
no indication that a given module import could involve access to
cross-origin servers isn't obvious from where the import statement
appears.

- R. Niwa


More information about the webkit-dev mailing list