Does integrity="" intentionally not work on module <script>s?

[domenic]

I just noticed today that https://html.spec.whatwg.org/#prepare-a-script step 21.6 passes in the integrity metadata for classic scripts but not module scripts.

Maybe this is intentional, because it's not super-clear which of the fetched scripts in the graph it would apply to? For example, nonce="" and crossorigin="" apply to everything in the graph, so maybe it'd be weird to only apply integrity="" to the top-level script? I dunno if that reasoning is sound though...

If this is intentional, we should add a note clarifying.

[annevk]

Not being able to declare integrity for module subresources is a problem, but the folks designing modules were not keen on my input that you needed to be able to control the fetch layer declaratively. I guess we could still offer it for the top-level fetch though and provide the same kind of guarantees as you get with CSS...

[mikewest]

I agree with @annevk.

CCing the folks responsible for SRI: @mozfreddyb, @devd, @fmarier, @metromoxie.

[mikewest]

(Longer term, it would be probably be useful to somehow define fetch options for importScripts and import.)

[devd]

I think for now, for SRIv1 this is not a big deal. For styles too, there are many things we don't allow setting integrity metadata. It would be nicer if it just did support it so that we don't have to aptch it on later. So, I guess I agree with Anne!

I wonder how this works with the require-sri directives. If I turned on require-sri-for script, will the module load succeed or fail?

[domenic]

So just to be clear, for everyone agreeing with Anne, it sounds like we should wire it up so integrity="" applies to the top-level fetch when fetching a module script graph? I can do that pretty easily.

I wonder how this works with the require-sri directives. If I turned on require-sri-for script, will the module load succeed or fail?

Presumably they'd act just like CSS background-image: url(...) or @import "..." do, where those don't have any integrity metadata. Do those fail, or succeed?

[devd]

@mozfreddyb and @mikewest probably know.. I am in the "TIL module script graph" phase right now :)

[mikewest]

@domenic: Yes. I think it makes sense to use the integrity attribute to govern the content of the top-level fetch, and to rely on an as-yet-to-be-invented mechanism for integrity checks on branch-level fetches.

With regard to require-sri-for, yes, those internal branch requests would fail. That's an argument for y'all to get to work on SRI2, I think. :)

[mozfreddyb]

It seems this discussion achieved rough consensus without my comments, but here it is:
I agree with @annevk. For now, the integrity attribute should work for module top-level fetches.

We'll have to figure other loads out in the future (CSS @import, url(), importScripts etc.). As implemented (and intended) require-sri-for will break: There is no integrity metadata provided (as there's no way to provide it), so verification is can't succeed.

[guybedford]

Is there any existing proposal or discussion for how to handle SRI for module dependencies? Ideally it should be possible to declaratively include this information in the page or server response, just like we provide preload metadata currently.

[annevk]

No, it's basically up to whatever #2547 ends up being. We should maybe keep that open?

[domenic]

No, see https://discourse.wicg.io/t/specifying-nonce-or-integrity-when-importing-modules/1861/3. This is TC39's responsibility.