Is it possible to do SRI on importScripts in JS?
opened this issue · comments
I got the following line of code in my service worker:
importScripts('https://storage.googleapis.com/workbox-cdn/releases/3.2.0/workbox-sw.js');
I was wondering if it was possible to add SRI protection to it or not?
Not today, unfortunately. It does seem like the a good thing to poke at. AFAIK, there were proposals floating around a while ago when module scripts were being defined. @domenic might know where they ended up?
I presented https://docs.google.com/presentation/d/1qfoLTniLUVJ5YNFrha7BaVumAnW0ZgcCfUU8UbyyuYY/edit?usp=sharing to TC39 a while back. The conclusion was that we should work on some out of band URL -> fetch options map (option 2). Since then, though, nobody has really done that work.
cc @danbeam
Has there been any progress on this issue?
FWIW, I run into this when trying to leverage JS modules within Chrome's NTP page https://chromium-review.googlesource.com/c/chromium/src/+/1590547, which uses SRI.