I’m playing with dynamic imports for a plugin system in JS but dynamic imports don’t have any sort of verification built in. So I’m thinking of implementing simple signed modules that are loaded in and evaluated. But before I fall down that particular rabbit hole, does anyone know of similar attempts? (I did the usual search engine scouring and stumbled on Web Bundles and Signed HTTP exchanges but though they sound similar, they’re very much not the same thing.)


Nice to see folks thinking along the same lines (and three years ahead of me) ;) github.com/tasn/webext-signed- – looks like Tom Hacohen already built what I wanted to verify the index page at least.

(The reason I’m looking past subresource integrity is because I need to have dynamic plugins and subresource integrity is only useful for resources you know at build time.)

· · Web · 1 · 2 · 5

@aral I'd like to explore some options for dynamic pages. There is some mention of it not being an ideal solution because the server needs to sign instead of the developer. But when the full server is trusted and in your control, does that matter? Would signing dynamic pages add any value then?

Sign in to participate in the conversation
Aral’s Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!