Import map scripts should support integrity

[guybedford]

I just tested the following under the current Chromium implementation:

<script type="importmap" integrity="sha384-invalid">
{
  "imports": {
    "module": "./module.js"
  }
}
</script>
<script type="module">
import m from 'module';
console.log(m);
</script>

and unfortunately it appears that the integrity check on the import map script itself is not applying.

I was under the impression that the CSP compatibility discussed in #105 would have enabled this.

Is this a spec or implementation bug? Would be good to follow up further as this seems pretty important.

[domenic]

It looks like this is working as intended. integrity="" is about fetch integrity; it modifies the fetch layer. It never works on inline scripts/styles/etc. importmap is the same as module or text/javascript in this regard.

This will work for external import maps (not implemented in Chrome at the moment), but it will not work for inline ones. This makes sense; the threat model for integrity="" is against network attackers, and there is no network involved when an inline import map is included.

It looks like there is a proposal from @mikewest to apply integrity checking to inline scripts, but it hasn't gotten multi-vendor interest, and there's a good deal of skepticism. w3c/webappsec-subresource-integrity#86.

So I don't think there's much for the import maps spec to do here.

[guybedford]

Got it, thanks for the clarification. I will go ahead and implement integrity for src importmaps in SystemJS then. Agreed the inline case isn't necessary unless progress is made elsewhere on this.