[webkit-dev] Request for position on import maps

Domenic Denicola d at domenic.me
Wed Oct 28 12:33:14 PDT 2020

Thanks for your response Ryosuke!

From: Ryosuke Niwa <rniwa at webkit.org> 

> How does this feature supposed to work with CSP subresource integrity?
>As far as I've read various specs and the proposal, it's not currently possible to specify any integrity checks on modules loaded via import this. This is a pretty serious downside because it would mean that any remote server ever referenced by an import map becomes a security liability for a given website. It's a lot worse compared to normal scripts > because of the action-at-a-distance of import maps. There is no indication that a given module import could involve access to cross-origin servers isn't obvious from where the import statement appears.

Correct, this proposal does not change the status quo regarding models and CSP integrity integration. I can understand how import maps might increase the priority of improving CSP in that way for WebKit, and I imagine the webappsec group would welcome any collaboration on solving that. 

There are even proposals from community members to piggyback on the import map's <script> to solve this long-standing problem: see https://github.com/guybedford/import-maps-extensions#integrity.

Hope this helps!

More information about the webkit-dev mailing list