I’m playing with dynamic imports for a plugin system in JS but dynamic imports don’t have any sort of verification built in. So I’m thinking of implementing simple signed modules that are loaded in and evaluated. But before I fall down that particular rabbit hole, does anyone know of similar attempts? (I did the usual search engine scouring and stumbled on Web Bundles and Signed HTTP exchanges but though they sound similar, they’re very much not the same thing.)
Nice to see folks thinking along the same lines (and three years ahead of me) ;) https://github.com/tasn/webext-signed-pages – looks like Tom Hacohen already built what I wanted to verify the index page at least.
(The reason I’m looking past subresource integrity is because I need to have dynamic plugins and subresource integrity is only useful for resources you know at build time.)
@aral what kind of verification are you referring to?
I can only think of Deno, which forces the user to unlock specific capabilities, but it's not very efficient (you do this at root level, not at module level)
@xananax Just digital signature verification so that I an ensure the source code is as the developer (who I trust, let’s say) intended and not what the server decided to serve.
@aral I'd like to explore some options for dynamic pages. There is some mention of it not being an ideal solution because the server needs to sign instead of the developer. But when the full server is trusted and in your control, does that matter? Would signing dynamic pages add any value then?
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!