Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Subresource integrity for es6 import or worker

Tags:

es6-modules

subresource-integrity

<script> accept integrity attribute, so I can load a module safely:

<script type="module"
  src="https://example.com/module.mjs"
  integrity="sha256-2Kok7MbOyxpgUVvAk/HJ2jigOSYS2auK4Pfzbm7uH60="
  crossorigin="anonymous"
></script>

But how to keep safe when loading module inside script?

  • with import:
import foo from "https://example.com/module.mjs"
  • dynamic import:
import("https://example.com/module.mjs").then(console.log)
  • or even web worker:
const myWorker = new Worker('worker.js')
like image 734
Yukulélé Avatar asked Oct 03 '18 22:10

Yukulélé

People also ask

How does Subresource integrity work?

Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.

What is integrity attribute in script tag?

The integrity attribute allows a browser to check the fetched script to ensure that the code is never loaded if the source has been manipulated. Subresource Integrity (SRI) is a W3C specification that allows web developers to ensure that resources hosted on third-party servers have not been altered.

How do you use SRI?

To use SRI, a website author wishing to include a resource from a third party can specify a cryptographic hash of the resource in addition to the location of the resource. Browsers fetching the resource can then compare the hash provided by the website author with the hash computed from the resource.

1 Answers

Please see this question

Is it possible to use subresource integrity with ES6 module imports?

You can use RequireJS, and transpile your code to AMD or UMD to achieve this. RequireJS has a hook onNodeCreated, which gives you access to the script tag before it is added to document. You can add the sri attribute onto the script tag:

onNodeCreated: function(node, config, module, path) { node.setAttribute('integrity', integrityForModule); node.setAttribute('crossorigin', 'anonymous'); }

credit: https://stackoverflow.com/a/37065379

I use Webpack (with a target of UMD) and RequireJS. With the relevant modules put in the external section of the webpack configuration file, so the modules are not compiled into the transpiled code.

like image 189
mayank1513 Avatar answered Sep 22 '22 08:09

mayank1513
Sign in to Comment

Related questions

Jest with webpack provide plugin
How to make a class-based custom element side-effect-free so webpack only bundles the explicitly imported components
How to inspect ES6 modules in chrome debugger
Garbage collect unused modules
Webpack ES6 modules circular dependencies when using index files
Uncaught ReferenceError: Cannot access '__WEBPACK_DEFAULT_EXPORT__' before initialization
How to deal with side effects in tree shaking code?
Closure Compiler + Typescript
Is using an ES6 import to load specific names faster than importing a namespace?
IntelliSense not working in React Native stylesheet after first item
Understanding TypeScript and SystemJS WITHOUT Angular
how to let npm package bin run with experimental-modules option?
Can I use ES6 modules in Node.js 8? [duplicate]
Should the index.ts be resolved by TypeScript as default module file?
How can an ES6 module be run as a script in Node?
detect whether ES Module is run from command line in Node
Import from node_modules not recognized in es6 modules in browser
What is the difference between importing a function expression or a function declaration from a ES6 module?
Jest: Mock ES6 Module with both default and named export
can't resolve Cannot find module 'rxjs' within typescript/webpack

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!