0

I use subresource integrity for normal scripts on my page but currently not for JavaScript modules.

I assume that specifying the integrity of a module included with the script tag works like the following What are the integrity and crossorigin attributes?, just with the additional type="module". Is this correct?

How do I specify the integrity of modules included in other modules (e.g. with import * as blah from "blah.js";)?

Is there a way to specify the integrity of these imports? Is it possible to specify them in all in one place in the HTML (for example in module preloads) so if a module deep down changes, not all intergrities of the modules using them change as well?

swift-lynx
  • 3,219
  • 3
  • 26
  • 45
  • 2
    Note that [there is actually a way](https://stackoverflow.com/a/63029759/3702797), in Blink browsers only for now. – Kaiido Jul 22 '20 at 08:16
  • @Kaiido Yeah, I'm using that for now. Sadly only blink browsers support it at the moment... – swift-lynx Jul 22 '20 at 08:44

1 Answers1

0

AFAIK "integrity" attribute is used to "verify" that the content on the other server still is the same (same SHA-sum, not manipulated).

So you would use this to include Ressources hosted on third-party-server like CDN`s

If the files you import * as blah are coming from your local directory, there is probably no check for manipulation required, if you wanted to check the integrity you could just imprt them with a script tag or look at the link below:

Subresource integrity for es6 import

at the end it´s just comparing the sha-sum of the file, you could do it on your own

In this link is basically everything said about it https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

john Smith
  • 17,409
  • 11
  • 76
  • 117