webappsec-subresource-integrity
lit
Our great sponsors
webappsec-subresource-integrity | lit | |
---|---|---|
5 | 141 | |
69 | 17,535 | |
- | 2.1% | |
0.0 | 9.4 | |
about 1 year ago | 4 days ago | |
HTML | TypeScript | |
GNU General Public License v3.0 or later | BSD 3-clause "New" or "Revised" License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
webappsec-subresource-integrity
-
JavaScript import maps are now supported cross-browser
Seeing this, it reminded me of an interesting topic: caching at browser-level the external libraries used for big performance improvements: https://github.com/w3c/webappsec-subresource-integrity/issue...
-
📦 Everything you need to know: package managers
All package managers implement strict specifications on this approach to integrity. For example, npm respects the W3C's "Subresource Integrity or SRI" specification, which describes the mechanisms to be implemented to reduce the risk of malicious code injection. You can jump directly here to the specification document if you want to dig deeper.
-
Python 3.11 in the Web Browser
One proposed solution is checksums on CDN provided javascript:
https://w3c.github.io/webappsec-subresource-integrity/
-
How Cloudflare verifies the code WhatsApp Web serves to users
It's great to hear that you want this added to browsers themselves, and you're right that browsers are more likely to implement such changes if you can show that users are deliberately installing an extension to add the missing functionality.
There has been some discussion at the W3C about extending the SRI spec in this direction[0], but it seems they are reluctant to do that unless "multiple browser vendors" choose to implement something like this.[1] Hopefully the existence and adoption of this browser extension helps to solve that bootstrapping / Catch-22 problem.
As for usability, would it be sufficient to just adopt a TOFU model, where the browser pins the first key it sees for a domain? To prevent the risk of permanently bricking a site (if the key gets lost, or the host gets temporarily compromised) you could politely warn the user that the key has changed, or just show a different colour icon representing that the code is correctly signed with an unknown key.
[0] https://github.com/w3c/webappsec/issues/449
[1] https://github.com/w3c/webappsec-subresource-integrity/issue...
-
“Outlook just asked me if I want to upgrade to bigger ads?”
Including the hash is exactly what subresource integrity does (even in a CDN context, conveniently enough), but so far people haven’t figured out a sufficiently non-leaky design to use it for caching[1,2].
[1] https://github.com/w3c/webappsec-subresource-integrity/issue...
[2] https://hillbrad.github.io/sri-addressable-caching/sri-addre...
lit
-
I've created yet another JavaScript framework
That is the reason why I experiment with the TiniJS framework for a while. It is a collection of tools for developing web/desktop/mobile apps using the native Web Component technology, based on the Lit library. Thank you the Lit team for creating a great tool assists us working with standard Web Component easier.
- Web Components e a minha opiniĂŁo sobre o futuro das libs front-end
-
Show HN: I made a Pinterest clone using SigLIP image embeddings
https://github.com/lit/lit/tree/main/packages/labs/virtualiz...
-
What We Need Instead of "Web Components"
actually, looking at it (https://lit.dev/), i do exactly that.
I also define a `render()` and extend my own parent, which does a `replaceChildren()` with the render. And, strangely, I also call the processor `html`
I'll still stick with mine however, my 'framework' is half-page of code. I dislike dependencies greatly. I'd need to be saving thousand+ lines at least.
Here, I don't want a build system to make a website; that's mad. So I don't want lit. I want the 5 lines it takes to invoke a dom parser, and the 5 lines it takes do define a webcomp parent.
-
Web Components Aren't Framework Components
I rather like https://lit.dev/ for web components so far.
For the reactivity stuff, you might want to read https://frontendmasters.com/blog/vanilla-javascript-reactivi... - it shows a bunch of no-library-required patterns that, while in a number of cases I'd much rather use a library myself, all seems at least -basically- reasonable to me and will probably be far more comprehensible to you than whatever I'd reach for, and frameworks are always much more pleasant to approach after you've already done a bunch of stuff by banging rocks together first.
- Reddit just completed their migration out of React
-
Web Components Eliminate JavaScript Framework Lock-In
I work on Lit, which I would hesitate to call a framework, but gives a framework-like DX for building web components, while trying to keep opinions to a minimum and lock-in as low as possible.
It's got reactivity, declarative templates, great performance, SSR, TypeScript support, native CSS encapsulation, context, tasks, and more.
It's used to build Material Design, settings and devtools UIs for Chrome, some UI for Firefox, Reddit, Photoshop Web...
https://lit.dev if you're interested.
-
HTML Web Components
I am more a fan of the augmented style because it doesn't entrap you in dev lock-in to platforms.
The problem with frameworks, especially web frameworks, is they reimplement many items that are standard now (shadowdom, components, storage, templating, base libraries, class/async, network/realtime etc).
If you like the component style of other frameworks but want to use Web Components, Google Lit is quite nice.
Google Lit is like a combination of HTML Web Components and React/Vue style components. The great part is it is build on Web Components underneath.
[1] https://lit.dev/
-
Web Components Will Outlive Your JavaScript Framework
From the comments I see here, it seems like people expect the Webcomponents API to be a complete replacement for a JS framework. The thing is, our frameworks should start making use of modern web APIs, so the frameworks will have to do less themselves, so can be smaller. Lit [0] for example is doing this. Using Lit is very similar to using React. Some things work different, and you have to get used to some web component specific things, but once you get it, I think it's way more pleasant to work with than React. It feels more natural, native, less framework-specific.
For state management, I created LitState [1], a tiny library (really only 258 lines), which integrates nicely with Lit, and which makes state management between multiple components very easy. It's much easier than the Redux/flux workflows found in React.
So my experience with this is that it's much nicer to work with, and that the libraries are way smaller.
[0] https://lit.dev/
- Lit – a small responsive CSS framework
What are some alternatives?
mma - MMA - Musical MIDI Accompaniment. This is a mirror of the original author's code drops.
Svelte - Cybernetically enhanced web apps
Roundcube - The Roundcube Webmail suite
stencil - A toolchain for building scalable, enterprise-ready component systems on top of TypeScript and Web Component standards. Stencil components can be distributed natively to React, Angular, Vue, and traditional web developers from a single, framework-agnostic codebase.
compression-dictionary-transport
Vue.js - This is the repo for Vue 2. For Vue 3, go to https://github.com/vuejs/core
ci - NodeSecure tool enabling secured continuous integration
Angular - Deliver web apps with confidence 🚀
quickjspp
htmx - </> htmx - high power tools for HTML
wasmtime - A fast and secure runtime for WebAssembly
Preact - ⚛️ Fast 3kB React alternative with the same modern API. Components & Virtual DOM.