webappsec-subresource-integrity VS lit

Seeing this, it reminded me of an interesting topic: caching at browser-level the external libraries used for big performance improvements: https://github.com/w3c/webappsec-subresource-integrity/issue...

All package managers implement strict specifications on this approach to integrity. For example, npm respects the W3C's "Subresource Integrity or SRI" specification, which describes the mechanisms to be implemented to reduce the risk of malicious code injection. You can jump directly here to the specification document if you want to dig deeper.

One proposed solution is checksums on CDN provided javascript:

https://w3c.github.io/webappsec-subresource-integrity/

It's great to hear that you want this added to browsers themselves, and you're right that browsers are more likely to implement such changes if you can show that users are deliberately installing an extension to add the missing functionality.

There has been some discussion at the W3C about extending the SRI spec in this direction[0], but it seems they are reluctant to do that unless "multiple browser vendors" choose to implement something like this.[1] Hopefully the existence and adoption of this browser extension helps to solve that bootstrapping / Catch-22 problem.

As for usability, would it be sufficient to just adopt a TOFU model, where the browser pins the first key it sees for a domain? To prevent the risk of permanently bricking a site (if the key gets lost, or the host gets temporarily compromised) you could politely warn the user that the key has changed, or just show a different colour icon representing that the code is correctly signed with an unknown key.

[0] https://github.com/w3c/webappsec/issues/449

[1] https://github.com/w3c/webappsec-subresource-integrity/issue...

Including the hash is exactly what subresource integrity does (even in a CDN context, conveniently enough), but so far people haven’t figured out a sufficiently non-leaky design to use it for caching[1,2].

[1] https://github.com/w3c/webappsec-subresource-integrity/issue...

[2] https://hillbrad.github.io/sri-addressable-caching/sri-addre...

That is the reason why I experiment with the TiniJS framework for a while. It is a collection of tools for developing web/desktop/mobile apps using the native Web Component technology, based on the Lit library. Thank you the Lit team for creating a great tool assists us working with standard Web Component easier.

https://github.com/lit/lit/tree/main/packages/labs/virtualiz...

actually, looking at it (https://lit.dev/), i do exactly that.

I also define a `render()` and extend my own parent, which does a `replaceChildren()` with the render. And, strangely, I also call the processor `html`

I'll still stick with mine however, my 'framework' is half-page of code. I dislike dependencies greatly. I'd need to be saving thousand+ lines at least.

Here, I don't want a build system to make a website; that's mad. So I don't want lit. I want the 5 lines it takes to invoke a dom parser, and the 5 lines it takes do define a webcomp parent.

I rather like https://lit.dev/ for web components so far.

For the reactivity stuff, you might want to read https://frontendmasters.com/blog/vanilla-javascript-reactivi... - it shows a bunch of no-library-required patterns that, while in a number of cases I'd much rather use a library myself, all seems at least -basically- reasonable to me and will probably be far more comprehensible to you than whatever I'd reach for, and frameworks are always much more pleasant to approach after you've already done a bunch of stuff by banging rocks together first.

I work on Lit, which I would hesitate to call a framework, but gives a framework-like DX for building web components, while trying to keep opinions to a minimum and lock-in as low as possible.

It's got reactivity, declarative templates, great performance, SSR, TypeScript support, native CSS encapsulation, context, tasks, and more.

It's used to build Material Design, settings and devtools UIs for Chrome, some UI for Firefox, Reddit, Photoshop Web...

https://lit.dev if you're interested.

I am more a fan of the augmented style because it doesn't entrap you in dev lock-in to platforms.

The problem with frameworks, especially web frameworks, is they reimplement many items that are standard now (shadowdom, components, storage, templating, base libraries, class/async, network/realtime etc).

If you like the component style of other frameworks but want to use Web Components, Google Lit is quite nice.

Google Lit is like a combination of HTML Web Components and React/Vue style components. The great part is it is build on Web Components underneath.

[1] https://lit.dev/

From the comments I see here, it seems like people expect the Webcomponents API to be a complete replacement for a JS framework. The thing is, our frameworks should start making use of modern web APIs, so the frameworks will have to do less themselves, so can be smaller. Lit [0] for example is doing this. Using Lit is very similar to using React. Some things work different, and you have to get used to some web component specific things, but once you get it, I think it's way more pleasant to work with than React. It feels more natural, native, less framework-specific.

For state management, I created LitState [1], a tiny library (really only 258 lines), which integrates nicely with Lit, and which makes state management between multiple components very easy. It's much easier than the Redux/flux workflows found in React.

So my experience with this is that it's much nicer to work with, and that the libraries are way smaller.

[0] https://lit.dev/