Replies: 2 comments 6 replies
-
|
This is a great topic that may be worth having a call about or a deeper discussion on. @valorkin @ScriptedAlchemy @lucamezzalira @ilteoood @lucasfernog |
Beta Was this translation helpful? Give feedback.
-
|
It's difficult client side without exposing some sort of key, this in my mind is the real challenge. Mostly because at build time you'd have to sign something, then the consumer can check the validity when it loads a module. In order to do that it needs to have the key available which means putting it in a bundle, or you'd have to make a server call - which is likely ideal but starts to move you away from pure client app. You can probably security through obscurity and get 80% of the value you're looking for, in the end its all public info, you just want to make sure you agree with the content you are about to mount. |
Beta Was this translation helpful? Give feedback.
-
|
On the Tauri side every app has a keypair for signing application updates. The public key is embedded in the app binary, and before installing an update we verify its integrity. The challenge here is how to verify integrity across multiple module authors, might be impossible to do any check at all using JavaScript really (maybe a WASM that has the public keys embedded?). |
Beta Was this translation helpful? Give feedback.
-
|
You could use sub resource integrity check? standard browser feature? |
Beta Was this translation helpful? Give feedback.
-
|
Using subresource integrity sounds like a really interesting idea, but I still don't see how I can incorporate it with Module Federation. If it's really viable, I'd be very happy if there's some sample. |
Beta Was this translation helpful? Give feedback.
-
|
using runtime plugins you can call the createScript hook and pretty much control the script element added to the DOM. here you could include SRI from a json or elsewhere to verify |
Beta Was this translation helpful? Give feedback.
-
|
@tadayosi This is a helpful example I'm going to implement something similar this week |
Beta Was this translation helpful? Give feedback.
-
|
@rrosenshain-sc @ScriptedAlchemy Thanks!!! |
Beta Was this translation helpful? Give feedback.
-
Hi community,
Module Federation is a very powerful and excellent framework!
However, it has such powerful features that it can dynamically load modules from anywhere, which raises concerns about security in a more restricted context. One of these concerns is how to ensure the integrity of modules loaded remotely, that is, guaranteeing they have not been tampered with by 3rd parties over the network.
Generally, systems with dynamic module loading mechanisms may provide a feature to validate the hash or signature of the module at loading time. By validating a pre-generated hash value or signature at the time of module build when loading it, it can be confirmed that the module has not been tampered with during network transmission.
Question: Does Module Federation have such a feature? If so, please tell me how I can use the feature. If not, is it possible to implement such functionality in the future?
Beta Was this translation helpful? Give feedback.
All reactions