Subresource Integrity for Lazy-Loaded Resources from Guy Bedford on 2021-03-06 (public-webappsec@w3.org from March 2021)

From: Guy Bedford <guybedford@gmail.com>
Date: Sat, 6 Mar 2021 10:34:12 +0200
To: public-webappsec@w3.org
Message-ID: <CAGu7HEn7bKrHcpP7NhLW0w+jDb_DyHj2TYKGM2tXV8NpfC07wA@mail.gmail.com>

I'd like to propose a variation of <link rel="preload"> for setting
resource integrity, that can support lazy loaded resources.

Many resources like CSS are lazy loaded via injection into the DOM, where
this injection can be associated with integrity metadata at the time of
injection. But often finding and adding the integrity to that exact
injection code presents a massive adoption friction point to the goal of a
web application where all resources after the first HTML load are served
with integrity to allow reducing third-party server trust requirements.
Integrities change so need to be regularly updated - and if the integrities
are stored in code, that means running injection operations against complex
code patterns.

In 2018 Subresource Integrity was extended to support `<link
rel="preload">` tags, allowing for resources with integrity restrictions to
fully support preloading via the `integrity` attribute on the preload link
tag. See https://chromestatus.com/feature/4967277059375104 for some further
background on this.

The problem with this technique is it isn't useful for lazy resources where
the bandwidth should be spared from the critical load path, while the
integrity should still be provided at load time.

The proposal would be for a variation of the <link rel="preload"
integrity="..."> pattern that can support lazy loading of resources. There
are likely two major ways to achieve this:

1. Varying the priority of the preload - perhaps having an attribute like
<link rel="preload" priority="when-idle"> or "lazy" etc to indicate
resources should not block the critical load of the page.
2. A simpler "boolean" attribute to indicate the preload is lazy <link
rel="preload" lazy> or as appropriate.

With such a tag, the dynamic injection code for lazy resources can be
uncoupled from the exact subresource integrity string, and the main HTML
page can be used to include this metadata for lazy resources without
incurring their full network cost during page initialization.

I think it would be a powerful new primative for constructing full
integrity for web applications.

Further feedback very welcome!

Guy Bedford

Received on Saturday, 6 March 2021 08:35:31 UTC