es6导入或工作程序的子资源完整性 [英] Subresource integrity for es6 import or worker
问题描述
< script>
接受 integrity
属性,因此我可以安全地加载模块:
<script>
accept integrity
attribute, so I can load a module safely:
<script type="module"
src="https://example.com/module.mjs"
integrity="sha256-2Kok7MbOyxpgUVvAk/HJ2jigOSYS2auK4Pfzbm7uH60="
crossorigin="anonymous"
></script>
但是在脚本中加载模块时如何保持安全?
But how to keep safe when loading module inside script?
- 与导入:
import foo from "https://example.com/module.mjs"
- 动态导入:
import("https://example.com/module.mjs").then(console.log)
- 甚至是网络工作者:
const myWorker = new Worker('worker.js')
推荐答案
请参阅此问题
Is it possible to use subresource integrity with ES6 module imports?
您可以使用RequireJS,然后将您的代码转换为AMD或UMD来实现。 RequireJS有一个钩子onNodeCreated,它使您可以在将脚本标记添加到文档之前对其进行访问。您可以将sri属性添加到脚本标签上:
You can use RequireJS, and transpile your code to AMD or UMD to achieve this. RequireJS has a hook onNodeCreated, which gives you access to the script tag before it is added to document. You can add the sri attribute onto the script tag:
onNodeCreated: function(node, config, module, path) { node.setAttribute('integrity', integrityForModule); node.setAttribute('crossorigin', 'anonymous'); }
贷方: https://stackoverflow.com/a/37065379
我使用Webpack(目标为UMD)和RequireJS。将相关模块放在webpack配置文件的外部部分中,因此不会将这些模块编译为已转换的代码。
I use Webpack (with a target of UMD) and RequireJS. With the relevant modules put in the external section of the webpack configuration file, so the modules are not compiled into the transpiled code.
这篇关于es6导入或工作程序的子资源完整性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!