-
-
Notifications
You must be signed in to change notification settings - Fork 8.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Subresource Integrity support for ModuleFederation #14310
Comments
Anyway you can do it using plugin |
how? the SubResource integrity plugin doesn't work with federated modules as far as I can see... |
Where should we get the integrity from? I would recommend to opt-out of automatic remote script loading and let your server compose a html with remote script tags including integrity. |
For the chunk level we can hardcode (generate) the integrity into the remote-entry.js file. in summary: in the more dynamic cases, you should leave the top level open to receive the integrity from outside. |
I am in the same boat as you @amitbet : big corporation with need for both module federation and SRI. Did you figure out a way? I’m wondering if we could simply limit SRI to app level, and ignore it for chunks coming from the remotes? We are using the |
Any updates on this? |
This issue had no activity for at least three months. It's subject to automatic issue closing if there is no activity in the next 15 days. |
bump |
Issue was closed because of inactivity. If you think this is still a valid issue, please file a new issue with additional information. |
+1 to this |
bump |
+1 |
1 similar comment
+1 |
hi, I made a temporary package @sowtame/webpack-subresource-integrity, supports wmf. |
This wasn't actually resolved, was it? That's just the stale bot closing the issue? |
It is a plugin side, there is a PR waysact/webpack-subresource-integrity#220 |
Feature request
What is the expected behavior?
I am working in a large enterprise org, and we are using ModuleFederation for our MicroFrontEnds implementation.
I would like to have the ability to use SRI (via plugin or some flag in the ModFed settings)
What is motivation or use case for adding/changing the behavior?
The dynamic loading of JS code is an opening for supply chain attack, this concern was raised by our security team and we need some mechanism to ensure the integrity of the loaded JS.
How should this be implemented in your opinion?
the createElement in LoadScriptRuntimeModule.js should be modified to enable adding the "integrity=[contentHash]" attribute, and it should be flaggable in the config.
if there's a better way i would like to hear about it (there is no documentation online about SRI and ModFed)
Are you willing to work on this yourself?
yes, but I would need some help in order to "do no harm"
The text was updated successfully, but these errors were encountered: