SRI (Subresource Integrity) Support

[jonmchan]

The first public working draft of the SRI specifications has just been released. It defines a hash checksum of linked resources to prevent bad actors from being able to inject arbitrary code from a compromised external server or CDN resource.

Example:

<link rel="stylesheet" href="https://site53.example.net/style.css"
      integrity="sha384-+/M6kredJcxdsqkczBUjMLvqyHb1K/JThDXWsBVxMEeZHEaMKEOEct339VItX1zB"
      crossorigin="anonymous">

It would be cool if importmap can add support for the checksum hash. It would make sense to create or get the checksum when pinning the library.

Perhaps importmap.rb can add the checksum field:

pin "exampleLibrary", to: "https://cdn.jsdelivr.net/npm/exampleLibrary@1.0.0/dist/js/library.min.js", checksum: "sha384-+/M6kredJcxdsqkczBUjMLvqyHb1K/JThDXWsBVxMEeZHEaMKEOEct339VItX1zB"

The generated code could look like the following:

<link rel="modulepreload" href="https://cdn.jsdelivr.net/npm/exampleLibrary@1.0.0/dist/js/library.min.js" integrity="sha384-+/M6kredJcxdsqkczBUjMLvqyHb1K/JThDXWsBVxMEeZHEaMKEOEct339VItX1zB">

I believe the adoption of SRI can make external resources more trustworthy and close a security hole in the event that an external resource is compromised by bad actors.

[guybedford]

Import maps recently added support for an "integrity" field themselves, which exactly matches the SRI definition of integrity.

This can be generated in the JSPM Generator API when providing the integrity option, e.g. https://api.jspm.io/generate?install=lit&integrity=true.