Add support for importmap integrity

[yoavweiss]

339bcec

Add support for importmap integrity
https://bugs.webkit.org/show_bug.cgi?id=272884

Reviewed by Ryosuke Niwa.

Imported ES modules can't currently have integrity checks, which means
they can't be used in sites where integrity checks are a necessity, for
security and privacy reasons.
This implements such support, by adding an "integrity" section to import
maps.

See whatwg/html#10269

* LayoutTests/TestExpectations: Ignored console logs to avoid flakiness
* LayoutTests/imported/w3c/web-platform-tests/import-maps/WEB_FEATURES.yml: Added.
* LayoutTests/imported/w3c/web-platform-tests/import-maps/data-driven/resources/test-helper.js:
(createTestIframe): Updated through import.
* LayoutTests/imported/w3c/web-platform-tests/import-maps/dynamic-integrity-expected.txt: Added.
* LayoutTests/imported/w3c/web-platform-tests/import-maps/dynamic-integrity.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/import-maps/no-referencing-script-integrity-expected.txt: Added.
* LayoutTests/imported/w3c/web-platform-tests/import-maps/no-referencing-script-integrity-valid-expected.txt: Added.
* LayoutTests/imported/w3c/web-platform-tests/import-maps/no-referencing-script-integrity-valid.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/import-maps/no-referencing-script-integrity.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/import-maps/nonimport-integrity-expected.txt: Added.
* LayoutTests/imported/w3c/web-platform-tests/import-maps/nonimport-integrity.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/import-maps/static-integrity-expected.txt: Added.
* LayoutTests/imported/w3c/web-platform-tests/import-maps/static-integrity.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/import-maps/w3c-import.log: Imports.
* LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-resources.https-expected.txt: Updated.
* LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-resources.https.html: Updated to cover Request.integrity.
* LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/resources/fetch-request-resources-iframe.https.html: Updated to cover Request.integrity.
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-resources.https-expected.txt: Updated.
* Source/JavaScriptCore/runtime/ImportMap.cpp:
(JSC::ImportMap::resolveImportMatch): Typos and spec link.
(JSC::parseURLLikeModuleSpecifier): Typos and spec link.
(JSC::ImportMap::resolve const): Typos and spec link.
(JSC::normalizeSpecifierKey): Typos and spec link.
(JSC::sortAndNormalizeSpecifierMap): Typos and spec link.
(JSC::ImportMap::registerImportMap): Add parsing for the integrity
section.
(JSC::ImportMap::getIntegrity const): Getter for integrity based on URL.
* Source/JavaScriptCore/runtime/ImportMap.h:
* Source/WebCore/bindings/js/ScriptModuleLoader.cpp:
(WebCore::ScriptModuleLoader::importModule): Add integrity to outgoing
requests.
(WebCore::ScriptModuleLoader::notifyFinished): Enforce integrity from
the importmap on responses, even if integrity wasn't present in the
request. Needed for static imports triggered by JSCore.
* Source/WebCore/dom/ScriptElement.cpp:
(WebCore::ScriptElement::requestModuleScript): Add integrity to outgoing
requests for top-level modules, if they don't already have an integrity
attribute.

Canonical link: https://commits.webkit.org/279096@main

ac14677

Misc	iOS, tvOS & watchOS	macOS	Linux	Windows
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 wincairo
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	❌ 🧪 wpe-wk2	✅ 🧪 wincairo-tests
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe
	❌ 🧪 ios-wk2-wpt	✅ 🧪 mac-wk1	✅ 🛠 wpe-cairo
✅ 🛠 🧪 jsc	✅ 🧪 api-ios	✅ 🧪 mac-wk2	✅ 🛠 gtk
✅ 🛠 🧪 jsc-arm64	✅ 🛠 tv	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 tv-sim	✅ 🧪 mac-wk2-stress	❌ 🧪 api-gtk
✅ 🛠 🧪 merge	✅ 🛠 watch		✅ 🛠 jsc-armv7
	✅ 🛠 watch-sim		❌ 🧪 jsc-armv7-tests

[webkit-early-warning-system]

EWS run on previous version of this PR (hash 50567d7)

Details

Misc	iOS, tvOS & watchOS	macOS	Linux	Windows
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 wincairo
	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	❌ 🧪 wpe-wk2
✅ 🧪 webkitperl	❌ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe
	🧪 ios-wk2-wpt	❌ 🧪 mac-wk1	✅ 🛠 wpe-skia
✅ 🛠 🧪 jsc	✅ 🧪 api-ios	❌ 🧪 mac-wk2	✅ 🛠 gtk
✅ 🛠 🧪 jsc-arm64	✅ 🛠 tv	❌ 🧪 mac-AS-debug-wk2	❌ 🧪 gtk-wk2
	✅ 🛠 tv-sim	⏳ 🧪 mac-wk2-stress	✅ 🧪 api-gtk
	✅ 🛠 watch		✅ 🛠 jsc-armv7
	✅ 🛠 watch-sim		✅ 🧪 jsc-armv7-tests

[yoavweiss]

Apologies for my noobness, but my git-webkit script didn't seem to do the right thing when uploading this.
Also, I still need to update the test expectations for the new tests.

[webkit-early-warning-system]

EWS run on previous version of this PR (hash 5314069)

Details

Misc	iOS, tvOS & watchOS	macOS	Linux	Windows
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 wincairo
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	❌ 🧪 wpe-wk2
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe
✅ 🧪 webkitpy	✅ 🧪 ios-wk2-wpt	✅ 🧪 mac-wk1	✅ 🛠 wpe-skia
✅ 🛠 🧪 jsc	✅ 🧪 api-ios	✅ 🧪 mac-wk2	✅ 🛠 gtk
✅ 🛠 🧪 jsc-arm64	✅ 🛠 tv	✅ 🧪 mac-AS-debug-wk2	❌ 🧪 gtk-wk2
✅ 🧪 services	✅ 🛠 tv-sim	✅ 🧪 mac-wk2-stress	✅ 🧪 api-gtk
	✅ 🛠 watch		✅ 🛠 jsc-armv7
	✅ 🛠 watch-sim		✅ 🧪 jsc-armv7-tests

[webkit-early-warning-system]

EWS run on previous version of this PR (hash 3491244)

Details

Misc	iOS, tvOS & watchOS	macOS	Linux	Windows
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	❌ 🛠 wincairo
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	❌ 🧪 wpe-wk2
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe
	✅ 🧪 ios-wk2-wpt	✅ 🧪 mac-wk1	⏳ 🛠 wpe-skia
✅ 🛠 🧪 jsc	✅ 🧪 api-ios	✅ 🧪 mac-wk2	✅ 🛠 gtk
✅ 🛠 🧪 jsc-arm64	✅ 🛠 tv	✅ 🧪 mac-AS-debug-wk2	❌ 🧪 gtk-wk2
	✅ 🛠 tv-sim	✅ 🧪 mac-wk2-stress	✅ 🧪 api-gtk
	✅ 🛠 watch		🛠 jsc-armv7
	✅ 🛠 watch-sim		🧪 jsc-armv7-tests

[webkit-early-warning-system]

EWS run on previous version of this PR (hash f61a244)

Details

Misc	iOS, tvOS & watchOS	macOS	Linux	Windows
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	❌ 🛠 wincairo
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	🧪 wpe-wk2
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	❌ 🧪 api-mac	✅ 🧪 api-wpe
	✅ 🧪 ios-wk2-wpt	❌ 🧪 mac-wk1	⏳ 🛠 wpe-skia
✅ 🛠 🧪 jsc	✅ 🧪 api-ios	❌ 🧪 mac-wk2	✅ 🛠 gtk
✅ 🛠 🧪 jsc-arm64	✅ 🛠 tv	❌ 🧪 mac-AS-debug-wk2	🧪 gtk-wk2
	✅ 🛠 tv-sim	❌ 🧪 mac-wk2-stress	⏳ 🧪 api-gtk
	✅ 🛠 watch		🛠 jsc-armv7
	✅ 🛠 watch-sim		🧪 jsc-armv7-tests

[webkit-early-warning-system]

EWS run on previous version of this PR (hash 50dc1bb)

Details

Misc	iOS, tvOS & watchOS	macOS	Linux	Windows
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 wincairo
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	❌ 🧪 wpe-wk2
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe
	✅ 🧪 ios-wk2-wpt	✅ 🧪 mac-wk1	⏳ 🛠 wpe-skia
✅ 🛠 🧪 jsc	✅ 🧪 api-ios	✅ 🧪 mac-wk2	✅ 🛠 gtk
✅ 🛠 🧪 jsc-arm64	✅ 🛠 tv	✅ 🧪 mac-AS-debug-wk2	❌ 🧪 gtk-wk2
	✅ 🛠 tv-sim	✅ 🧪 mac-wk2-stress	🧪 api-gtk
	✅ 🛠 watch		🛠 jsc-armv7
	✅ 🛠 watch-sim		🧪 jsc-armv7-tests

[webkit-early-warning-system]

EWS run on previous version of this PR (hash 0e261b9)

Details

Misc	iOS, tvOS & watchOS	macOS	Linux	Windows
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 wincairo
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	🧪 wpe-wk2
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	🧪 api-mac	✅ 🧪 api-wpe
	✅ 🧪 ios-wk2-wpt	✅ 🧪 mac-wk1	⏳ 🛠 wpe-skia
✅ 🛠 🧪 jsc	🧪 api-ios	✅ 🧪 mac-wk2	✅ 🛠 gtk
✅ 🛠 🧪 jsc-arm64	✅ 🛠 tv	✅ 🧪 mac-AS-debug-wk2	🧪 gtk-wk2
	✅ 🛠 tv-sim	✅ 🧪 mac-wk2-stress	⏳ 🧪 api-gtk
	✅ 🛠 watch		🛠 jsc-armv7
	✅ 🛠 watch-sim		🧪 jsc-armv7-tests

[webkit-early-warning-system]

EWS run on previous version of this PR (hash 41d987a)

Details

Misc	iOS, tvOS & watchOS	macOS	Linux	Windows
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 wincairo
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	❌ 🧪 wpe-wk2
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe
	✅ 🧪 ios-wk2-wpt	✅ 🧪 mac-wk1	⏳ 🛠 wpe-skia
✅ 🛠 🧪 jsc	✅ 🧪 api-ios	✅ 🧪 mac-wk2	✅ 🛠 gtk
✅ 🛠 🧪 jsc-arm64	✅ 🛠 tv	✅ 🧪 mac-AS-debug-wk2	❌ 🧪 gtk-wk2
	✅ 🛠 tv-sim	✅ 🧪 mac-wk2-stress	❌ 🧪 api-gtk
	✅ 🛠 watch		✅ 🛠 jsc-armv7
	✅ 🛠 watch-sim		✅ 🧪 jsc-armv7-tests

[yoavweiss]

This fails because module preload integrity is not supported.

[yoavweiss]

This fails because of modulepreload integrity is not supported in this PR.

[yoavweiss]

This fails because of the way I implemented static import integrity (only on the response side)

[yoavweiss]

This is a manual import, as importing the entire service-workers directory introduced too much unrelated noise

[yoavweiss]

This enforces integrity checks on the response even in cases where the integrity value is not propagated through the request (static imports).

[yoavweiss]

There are still a few open questions (as comments), but I'd love an initial review of the approach.

[webkit-early-warning-system]

EWS run on previous version of this PR (hash c710e8d)

Details

Misc	iOS, tvOS & watchOS	macOS	Linux	Windows
⏳ 🧪 style	🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 wincairo
⏳ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	🧪 wpe-wk2	✅ 🧪 wincairo-tests
⏳ 🧪 webkitperl	✅ 🧪 ios-wk2	🧪 api-mac	✅ 🧪 api-wpe
	🧪 ios-wk2-wpt	🧪 mac-wk1	✅ 🛠 wpe-cairo
🛠 🧪 jsc	🧪 api-ios	🧪 mac-wk2	✅ 🛠 gtk
🛠 🧪 jsc-arm64	✅ 🛠 tv	✅ 🧪 mac-AS-debug-wk2	🧪 gtk-wk2
⏳ 🧪 services	🛠 tv-sim	🧪 mac-wk2-stress	🧪 api-gtk
	🛠 watch		✅ 🛠 jsc-armv7
	⏳ 🛠 watch-sim		✅ 🧪 jsc-armv7-tests

[webkit-early-warning-system]

EWS run on previous version of this PR (hash f11ae62)

Details

Misc	iOS, tvOS & watchOS	macOS	Linux	Windows
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 wincairo
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	✅ 🧪 wincairo-tests
✅ 🧪 webkitperl	❌ 🧪 ios-wk2	❌ 🧪 api-mac	✅ 🧪 api-wpe
✅ 🧪 webkitpy	❌ 🧪 ios-wk2-wpt	❌ 🧪 mac-wk1	✅ 🛠 wpe-cairo
✅ 🛠 🧪 jsc	✅ 🧪 api-ios	✅ 🧪 mac-wk2	✅ 🛠 gtk
✅ 🛠 🧪 jsc-arm64	✅ 🛠 tv	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 gtk-wk2
✅ 🧪 services	✅ 🛠 tv-sim	✅ 🧪 mac-wk2-stress	❌ 🧪 api-gtk
	✅ 🛠 watch		✅ 🛠 jsc-armv7
	✅ 🛠 watch-sim		✅ 🧪 jsc-armv7-tests

[webkit-early-warning-system]

EWS run on previous version of this PR (hash b224e85)

Details

Misc	iOS, tvOS & watchOS	macOS	Linux	Windows
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	🛠 wincairo
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	⏳ 🧪 wpe-wk2	🧪 wincairo-tests
✅ 🧪 webkitperl	⏳ 🧪 ios-wk2	✅ 🧪 api-mac	🧪 api-wpe
✅ 🧪 webkitpy	⏳ 🧪 ios-wk2-wpt	✅ 🧪 mac-wk1	✅ 🛠 wpe-cairo
🛠 🧪 jsc	⏳ 🧪 api-ios	🧪 mac-wk2	✅ 🛠 gtk
✅ 🛠 🧪 jsc-arm64	✅ 🛠 tv	🧪 mac-AS-debug-wk2	⏳ 🧪 gtk-wk2
✅ 🧪 services	🛠 tv-sim	✅ 🧪 mac-wk2-stress	⏳ 🧪 api-gtk
	🛠 watch		✅ 🛠 jsc-armv7
	✅ 🛠 watch-sim		⏳ 🧪 jsc-armv7-tests

[yoavweiss]

Thanks for reviewing!

[webkit-early-warning-system]

EWS run on current version of this PR (hash ac14677)

Details

Misc	iOS, tvOS & watchOS	macOS	Linux	Windows
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 wincairo
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	❌ 🧪 wpe-wk2	✅ 🧪 wincairo-tests
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe
	❌ 🧪 ios-wk2-wpt	✅ 🧪 mac-wk1	✅ 🛠 wpe-cairo
✅ 🛠 🧪 jsc	✅ 🧪 api-ios	✅ 🧪 mac-wk2	✅ 🛠 gtk
✅ 🛠 🧪 jsc-arm64	✅ 🛠 tv	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 tv-sim	✅ 🧪 mac-wk2-stress	❌ 🧪 api-gtk
✅ 🛠 🧪 merge	✅ 🛠 watch		✅ 🛠 jsc-armv7
	✅ 🛠 watch-sim		❌ 🧪 jsc-armv7-tests

[marcoscaceres]

Non-reviewer r+ on the tests, with that additional one I suggested.

[marcoscaceres]

@yoavweiss, ping me if/when you need me to add it to the merge queue.

[webkit-commit-queue]

Committed 279096@main (339bcec): https://commits.webkit.org/279096@main

Reviewed commits have been landed. Closing PR #28253 and removing active labels.