stenciljs/core

feat: add possibility for security SRI/integrity attribute

Open

#6 132 ouverte le 30 janv. 2025

Voir sur GitHub
 (1 commentaire) (0 réactions) (0 assignés)TypeScript (844 forks)auto 404
Help Wanted

Métriques du dépôt

Stars
 (13 111 stars)
Métriques de merge PR
 (Métriques PR en attente)

Description

Prerequisites

Describe the Feature Request

If providing stencil component files via a CDN its recommended to load them with an integrity attribute: https://www.w3schools.com/tags/att_script_integrity.asp

This is easily possible for stencil's loader file. But this file loads other scripts without the possibility of adding a integrity hash.

Describe the Use Case

A big design system is providing stencil components via a CDN and consumers wanted to use this security technique.

Describe Preferred Solution

  • consumer just needs to add the SRI "manually" to the loader file request (consumer know the hash)
  • loading of all other files could be extended by the hashes of each file by stencil internal loading logic
  • those hashes could be generated at build time and baked into the loader file (because the browser can trust the value of the loader file)

Describe Alternatives

There are a lot of alternatives. Maybe the consumer can create itself the hashes of loaded files and provide them to the stencil loader.

Related Code

No response

Additional Information

No response

Guide contributeur