**Aral Balkan** @aral@mastodon.ar.al · 2021-02-15T15:27:01Z

Aral Balkan @aral@mastodon.ar.al

Looking into jspm and, like Skypack, I can‘t find anything on subresource integrity support. Unless I’m missing something, these new crop of ESM-based CDNs – while they sound great otherwise – are basically backdoors waiting to happen.

Thoughts?

See: https://ar.al/2020/12/30/skypack-backdoor-as-a-service/

Skypack issue: https://github.com/skypackjs/skypack-cdn/issues/135
jspm issue: https://github.com/jspm/project/issues/92

Feb 15, 2021, 15:27 · · Web · · ·

**Aral Balkan** @aral@mastodon.ar.al · Feb 15, 2021, 15:37

**Aral Balkan** @aral@mastodon.ar.al · Feb 15, 2021, 15:37

Feb 15, 2021, 15:37

Aral Balkan @aral@mastodon.ar.al

At least the Deno folks seem to be discussing and working on it: https://github.com/denoland/deno/issues/200

**Evan Hahn** @EvanHahn@bigshoulders.city · Feb 15, 2021, 15:52

**Evan Hahn** @EvanHahn@bigshoulders.city · Feb 15, 2021, 15:52

Feb 15, 2021, 15:52

Evan Hahn @EvanHahn@bigshoulders.city

@aral I think it'd be cool to use a content-addressed system like IPFS to address this, but I haven't thought about it too much!

**Aral Balkan** @aral@mastodon.ar.al · Feb 16, 2021, 11:25

**Aral Balkan** @aral@mastodon.ar.al · Feb 16, 2021, 11:25

Feb 16, 2021, 11:25

Aral Balkan @aral@mastodon.ar.al

@EvanHahn See Hypercore (IPFS is VC-funded). A signed DAG would be interesting but probably overlaps more with git than my use case. All I really need is a signed hash of the file tacked onto it.

Trending now

Resources

Developers

What is Mastodon?

mastodon.ar.al

More…