feat: add possibility for security SRI/integrity attribute

Open danyball opened this issue 11 months ago • 1 comments

Prerequisites

[x] I have read the Contributing Guidelines.
[x] I agree to follow the Code of Conduct.
[x] I have searched for existing issues that already include this feature request, without success.

Describe the Feature Request

If providing stencil component files via a CDN its recommended to load them with an integrity attribute: https://www.w3schools.com/tags/att_script_integrity.asp

This is easily possible for stencil's loader file. But this file loads other scripts without the possibility of adding a integrity hash.

Describe the Use Case

A big design system is providing stencil components via a CDN and consumers wanted to use this security technique.

Describe Preferred Solution

consumer just needs to add the SRI "manually" to the loader file request (consumer know the hash)
loading of all other files could be extended by the hashes of each file by stencil internal loading logic
those hashes could be generated at build time and baked into the loader file (because the browser can trust the value of the loader file)

Describe Alternatives

There are a lot of alternatives. Maybe the consumer can create itself the hashes of loaded files and provide them to the stencil loader.

Related Code

No response

Additional Information

No response

Jan 30 '25 11:01 danyball

@danyball thanks for raising the issue. I think this is a great idea and could simplify the process to deliver components to end users. Any contributions to the compiler would be much appreciated.

Feb 03 '25 05:02 christian-bromann