The Unclear Impact

Very interesting, I didn’t realise that subresource integrity was entirely missing from the ESM spec. So what this would mean is that, with ESM, any code loaded from any CDN could contain a potential government backdoor. How is this not a bigger issue?

(I’m saying a government backdoor because it would most likely take a state-level actor to force a CDN company to do that but it could, of course, be a disgruntled employee or cracker.)

@aral Also worrying is the lack of subresource integrity for resources like fonts included from CSS.

While straight up injecting unauthenticated JS code is of course easier to exploit, font rendering is a big can of worms and arbitrary code execution with carefully crafted web fonts wasn't unprecedented (although, fortunately, modern browsers have much better sandboxes than IE circa 2011).