Add Subresource Integrity support for ModuleFederation

[amitbet]

Feature request

What is the expected behavior?
I am working in a large enterprise org, and we are using ModuleFederation for our MicroFrontEnds implementation.
I would like to have the ability to use SRI (via plugin or some flag in the ModFed settings)

What is motivation or use case for adding/changing the behavior?
The dynamic loading of JS code is an opening for supply chain attack, this concern was raised by our security team and we need some mechanism to ensure the integrity of the loaded JS.

How should this be implemented in your opinion?
the createElement in LoadScriptRuntimeModule.js should be modified to enable adding the "integrity=[contentHash]" attribute, and it should be flaggable in the config.

if there's a better way i would like to hear about it (there is no documentation online about SRI and ModFed)

Are you willing to work on this yourself?
yes, but I would need some help in order to "do no harm"

[alexander-akait]

Anyway you can do it using plugin

[amitbet]

how? the SubResource integrity plugin doesn't work with federated modules as far as I can see...

[sokra]

Where should we get the integrity from?
The idea with module federation is that the remote script can change independent from the consuming script. So it can't be passed via config. It need to be provided at runtime.

I would recommend to opt-out of automatic remote script loading and let your server compose a html with remote script tags including integrity.

[amitbet]

For the chunk level we can hardcode (generate) the integrity into the remote-entry.js file.
For the top level, there are several options depending on what you are implementing, if there is a declaration of the remotes, you can include the integrity hash in that definition, if it is more dynamic than that (as it is in our case as well),
the top level integrity should be coming from the same code that knows which concrete module you will be consuming (in our app we resolve a tree of modules with semver queries into concrete versions, and we can have an integrity hash associated with each widget version).

in summary: in the more dynamic cases, you should leave the top level open to receive the integrity from outside.

[aversini]

I am in the same boat as you @amitbet : big corporation with need for both module federation and SRI. Did you figure out a way? I’m wondering if we could simply limit SRI to app level, and ignore it for chunks coming from the remotes? We are using the webpack-subresource-integrity plugin but it doesn’t seem to being able to let us bypass some chunks - it’s all or nothing…

[subeshb1]

Any updates on this?

[webpack-bot]

This issue had no activity for at least three months.

It's subject to automatic issue closing if there is no activity in the next 15 days.

[alexander-akait]

bump

[webpack-bot]

Issue was closed because of inactivity.

If you think this is still a valid issue, please file a new issue with additional information.

[azinod]

+1 to this

[sowtame]

bump

[fdecollibus]

+1

[AmsterGet]

+1

[sowtame]

hi, I made a temporary package @sowtame/webpack-subresource-integrity, supports wmf.
it's created from this pr

[noahnu]

This wasn't actually resolved, was it? That's just the stale bot closing the issue?

[alexander-akait]

It is a plugin side, there is a PR waysact/webpack-subresource-integrity#220