webappsec-subresource-integrity VS JSLint

Seeing this, it reminded me of an interesting topic: caching at browser-level the external libraries used for big performance improvements: https://github.com/w3c/webappsec-subresource-integrity/issue...

All package managers implement strict specifications on this approach to integrity. For example, npm respects the W3C's "Subresource Integrity or SRI" specification, which describes the mechanisms to be implemented to reduce the risk of malicious code injection. You can jump directly here to the specification document if you want to dig deeper.

One proposed solution is checksums on CDN provided javascript:

https://w3c.github.io/webappsec-subresource-integrity/

It's great to hear that you want this added to browsers themselves, and you're right that browsers are more likely to implement such changes if you can show that users are deliberately installing an extension to add the missing functionality.

There has been some discussion at the W3C about extending the SRI spec in this direction[0], but it seems they are reluctant to do that unless "multiple browser vendors" choose to implement something like this.[1] Hopefully the existence and adoption of this browser extension helps to solve that bootstrapping / Catch-22 problem.

As for usability, would it be sufficient to just adopt a TOFU model, where the browser pins the first key it sees for a domain? To prevent the risk of permanently bricking a site (if the key gets lost, or the host gets temporarily compromised) you could politely warn the user that the key has changed, or just show a different colour icon representing that the code is correctly signed with an unknown key.

[0] https://github.com/w3c/webappsec/issues/449

[1] https://github.com/w3c/webappsec-subresource-integrity/issue...

Including the hash is exactly what subresource integrity does (even in a CDN context, conveniently enough), but so far people haven’t figured out a sufficiently non-leaky design to use it for caching[1,2].

[1] https://github.com/w3c/webappsec-subresource-integrity/issue...

[2] https://hillbrad.github.io/sri-addressable-caching/sri-addre...

This is the spec for the language Douglas Crockford (author of the book "JavaScript: The Good Parts", the JSON specification[1], JSLint[2]) had explained in his famous talk: "The Next Programming Language"[3].

The "big things" in the language are the Actor model, favouring immutability and capabilities-based security.

[1] https://en.wikipedia.org/wiki/JSON

[2] https://www.jslint.com/

[3] https://www.youtube.com/watch?v=R2idkNdKqpQ

Someone should write a book about this [0] and a tool to automate checking your JavaScript code [1].

[0]: https://www.oreilly.com/library/view/javascript-the-good/978...

[1]: https://www.jslint.com/

I'm working on a book called "How to not get your knickers in a twist because you neglected to learn from people who came before you."

JavaScript Linter

One way to achieve this is by using linting tools like ESLint or JSLint. These tools automatically analyze your code for errors, stylistic inconsistencies, and potential security vulnerabilities. By customizing the linting rules to align with coding standards and best practices, you can identify and rectify potential security issues early in the development process. Linting helps maintain a clean and secure codebase.

>Does this mean that in theory i could skip the build/bundling step entirely?

You can but you must write your app in something the browser understands (js not ts, css not sass etc) and use native modules. For example, here is the test harness for a custom module, written in pure html with no build step: https://github.com/javajosh/simpatico/blob/master/combine2.h.... Here is a more complex (and much older) example from Crockford: https://www.jslint.com/

And yes, the experience developing this way is quite nice!

I came across a problem where I had to find the ES6 features used by any javascript project and other data regarding their use. When I reached out to stackoverflow, I could find only one relevant post which asks you to use linters like jshint/jshint or compilers like babel. Jslint didn't seem to report anything specific to ES6 and Babel converts all the ES6+ features to ES5 but doesn't report anything regarding which constructs were used or how many times they were used. However, Jshint reported all ES6 features used in the code along with some metadata. And, to suit my needs, I ended up writing a python script that calls Jshint on all JS files in a project and presents the features used in the project and the number of times they were used across all files. You can find the code here : jsHintRunner

Javascript Linting parses and checks if any syntax is violating the rule. If a violation occurs, a warning is shown explaining unexpected behavior. Use the online version for small projects: JSLint, ESLint or JSHint. For larger projects, it is recommended to use a task runner like Gulp or Grunt. Linters ensure developers are following the best practices as a result of which few bugs appear during project development.

Programmers of classical languages hate JavaScript because it's prototype-based, dynamic and weakly typed (among other complaints). It's also the number one most in-demand programming language in 2022 according to a number of independent surveys. JSLint can help you write better JavaScript and JSMin can minify your code before deployment. These tools were created by Douglas Crockford. I would recommend his books JavaScript: The Good Parts for programmers coming to JavaScript for the first time, and How JavaScript Works for experienced JavaScript programmers.