webappsec-subresource-integrity VS import-maps

Seeing this, it reminded me of an interesting topic: caching at browser-level the external libraries used for big performance improvements: https://github.com/w3c/webappsec-subresource-integrity/issue...

All package managers implement strict specifications on this approach to integrity. For example, npm respects the W3C's "Subresource Integrity or SRI" specification, which describes the mechanisms to be implemented to reduce the risk of malicious code injection. You can jump directly here to the specification document if you want to dig deeper.

One proposed solution is checksums on CDN provided javascript:

https://w3c.github.io/webappsec-subresource-integrity/

It's great to hear that you want this added to browsers themselves, and you're right that browsers are more likely to implement such changes if you can show that users are deliberately installing an extension to add the missing functionality.

There has been some discussion at the W3C about extending the SRI spec in this direction[0], but it seems they are reluctant to do that unless "multiple browser vendors" choose to implement something like this.[1] Hopefully the existence and adoption of this browser extension helps to solve that bootstrapping / Catch-22 problem.

As for usability, would it be sufficient to just adopt a TOFU model, where the browser pins the first key it sees for a domain? To prevent the risk of permanently bricking a site (if the key gets lost, or the host gets temporarily compromised) you could politely warn the user that the key has changed, or just show a different colour icon representing that the code is correctly signed with an unknown key.

[0] https://github.com/w3c/webappsec/issues/449

[1] https://github.com/w3c/webappsec-subresource-integrity/issue...

Including the hash is exactly what subresource integrity does (even in a CDN context, conveniently enough), but so far people haven’t figured out a sufficiently non-leaky design to use it for caching[1,2].

[1] https://github.com/w3c/webappsec-subresource-integrity/issue...

[2] https://hillbrad.github.io/sri-addressable-caching/sri-addre...

Long time huge fan of JS. I appreciate your calling out the multi-paradigm aspect; having these first class functions & prototype based inheritance has been so flexible.

TC39 has done a great job shaping the language over the years. New capabilities are usually well thought out & integrate well. Async await has been amazing.

The one major miss that makes me so sad and frustrated is modules; js has gotten better everywhere except it's near requirement for build tooling. Being able to throw some scripts on a page and go is still an unparalleled experience in the world, is so direct & tactile an experience. EcmaScript Modules was supposed to improve things, help get us back, but imports using url specifiers made the whole thing non-modular, was a miss. We're still tangled & torn. Import-maps has finally fixed but it's no where near as straightforward, and it still doesn't work in workers, which leaves us infuriatingly shirt of where the past was. https://github.com/WICG/import-maps/issues/2

makes sure your app is getting the download it expects. Adoption is probably pretty minimal though. https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

I think the big thing making this unlikely though is that very few folks use cdns these days. We designed ESM as a module system for the language, but then took a good fraction of a decade to build import-maps, to let us actually use modules in a modular way. Good news, we can finally use modules modularly! https://caniuse.com/import-maps

Bad news? Oh import-maps only works for the simplest case. Doesn't work in webworkers/service workers. https://github.com/WICG/import-maps/issues/2

The point is that single page apps almost always are bundled together, as using CDNs hasn't even been technically possible.

Also, CDNs are kind of somewhat pointless, now that http caches are partitioned by origin (for security reasons). They might have better anycast infrastructure to get the content out faster, but without the caching there's no inherent advantage. The user will download the same jquery file again in each site they go to, no already having it cached anymore. Bah humbug!

https://github.com/WICG/import-maps/issues/2

Bare specifiers has been the tragedy of ESM. Nice module syntax... that is utterly u deoyable & which has had to have awful de-modularizing specifiers hard-coded into each file to make it work. Abominable sin to introduce "modules" to JS/es2015 then spend a decade dragging everyone along with no story for how to have modular modules.

Import-maps are like "here" to fix this on the web... finally... except they only are shipping to the happiest sunniest easiest case, with Web Workers being totally shit out of luck in spite of some very simple straightforward suggested paths forward. https://github.com/WICG/import-maps/issues/2

I think Deno is making pretty good tradeoffs along the way here. This looks like package.json at surface level, but there is a nightmare of complexity under the surface. Typescript, ESM, cjs all have various pressures they create & in Node it's just incredibly tight & tense dealing with packaging, where-as Deno's happy path of Typescript first does not slowly tatters one over time. It really has been super pleasant being free of the previous world, and having something much more web-platform centric, more intented, with less assembly & less building, and more doing the actual coding.

I really hope import-maps eventually get broader support. Maybe this long-dwelling webworker issue should be brought up with WinterCG.

Import maps proposal

The concept of Import Maps was born in 2018 and made its long way until it was declared a new web standard implemented by Chrome in 2021 and some other browsers.

For package managers, you can use something like import maps to let the user specify which path points to what package, and resolve it properly.

Huh. I was about to complain that this breaks with web standards, but apparently it's being proposed as a standard feature: https://github.com/WICG/import-maps

Interesting!