Specifying nonce or integrity when importing modules


#1

Like <script> and <link> elements can specify integrity="hashAlgorithm-hash" and like elements can specify nonce="string-specified-by-content-security-policy", ECMAScript modules should be able to leverage those authenticity mechanisms. I propose the following syntax -

import * from "module" integrity "hashAlgorithm-hash" nonce "string-specified-by-content-security-policy"

Both, either and obviously neither of them can be specified.

import * from "module" integrity "hashAlgorithm-hash"
import * from "module" nonce "string-specified-by-content-security-policy"

Alternative syntax proposal -

import * from "module" #"hashAlgorithm-hash"
import * from "module" @"string-specified-by-content-security-policy"

Or anything else, basically.

It would be good to add this to the (draft) specification before modules ship in stable browser versions, so shipping modules already would already have this aspect included.


#2

You mean this for ECMAScript? Not sure if the relevant people are reading here… this is more directed at W3C, but there might be some lurkers…


#3

Yeah, I noticed that this category is not as active as the rest of them. But I see that @domenic replied here, though it was a long time ago, so maybe there is hope. Anyway, my plan was to suggest it here and if no one really responds, move it to a TC39 issue and the like.


#4

Wow, this is very interesting. We’ve been aware of this problem for a while, and wanted a solution, but didn’t have any ideas on the right syntax. The important requirement is that the syntax “looks static”, so something like

import "module" with { integrity: "hash", nonce: "nonce" };

was very bad. (It implies object literal semantics, but only the syntax matches; using e.g. { integrity: str } or { [propName]: "hash" } or { get nonce() { return "nonce"; } } would not work.)

Your proposed syntax is pretty great. It has one problem, which is that it can’t be split over multiple lines due to automatic semicolon insertion. E.g.

import "module"
  integrity
    "hash"
  nonce
    "nonce"

is just interpreted as a series of statements. But this is fixable with only a slight tweak of mandatory commas (or a similar separator) such as

import "module", integrity "hash", nonce "nonce";

It would be good to add this to the (draft) specification before modules ship in stable browser versions, so shipping modules already would already have this aspect included.

This is certainly out of the question; modules have had their greatest failures when trying to bundle things together, and their recent success in actually getting implemented owes to adding small features one by one. The TC39 process generally takes at least 6 months to accept a feature before implementations can even begin, due to their unfortunate synchronous decision making.

Thanks for the suggestion. I’ll talk this over with some others on my team and if things go well we might start on the process of making a proposal for TC39.


#5

Glad to be of help. :wink: