[PROPOSAL] Provide a way to enforce integrity check on module imports

Augusto Moura augusto.borgesm at gmail.com
Sat Aug 1 18:39:06 UTC 2020


Maybe a convention between hosts to prefix an import with an integrity
check?
``` js
import foo from 'sha1sum:ef70d15a0700d2108e0df27dde750f5c682b4697!./foo.js';
```
It looks kinda of dirty, but the specification allows it (aside from the
colon character that is forbidden right now)

This types of urls remember me of a past time when bundlers used to have
loaders prefixes, like `import style from 'css-loader:./styles.css'`

Em sáb., 1 de ago. de 2020 às 14:33, Bergi <a.d.bergi at web.de> escreveu:

> Hi,
>
> > The problem with inlining the integrity into every import site is that
> this
> > is naturally incompatible with import maps.
>
> I don't see a problem with that. When using import maps, you should be
> able to specifiy the integrity check in the import map, not needing it
> in the module itself.
> When not using import maps, specifying the integrity in the importing
> module itself seems to give the best developer experience, following the
> rationale of
> https://github.com/tc39/proposal-import-assertions#why-not-out-of-band.
> When using it in *both* places, then of course both integrity checks
> would need to match, and an import map would be prevented from swapping
> out the module under your hands.
>
> kind regards,
>  Bergi
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
>


-- 
Atenciosamente,

Augusto Borges de Moura
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20200801/9a5909c5/attachment-0001.html>


More information about the es-discuss mailing list