local-fs-https-imports
make a local copy of https imports and output a policy file
MIT License
Local FS HTTPS Imports
Usage
local-fs-https-imports app.js policy.json
node --experimental-policy policy.json app.js
Would allow an app.js with:
import 'https://flavio-es-modules-example.glitch.me/script.js';
To run.
What does it do?
It parses an entry module and crawls the source text looking for imports. When it finds an import it tries to resolve the URL it points to. If it finds a https: URL it saves it to disk under node_modules/.https/. After it is done crawling the entry module graph it creates a Node.js Policy Manifest to redirect requests to those URLs to the files on disk instead and prints it to STDOUT.
Is this production ready?
Maybe? I am biased though. The resolver isn't as feature complete as the Node builtin resolver.
I want feature X!
PR it, this is mostly a proof of concept to help get HTTPS imports rolling in Node.js core by showing a potential set of semantics we can experiment with.
Support Matrix
| Feature | Status | Notes |
|---|---|---|
content-type header |
working | only JavaScript MIMEs are supported, saves as .mjs files to disambiguate regardless of package "type" |
| CORS | missing | could be implemented, but really unclear given the same origin model on what the "base" origin should be. Node PR uses multiple origins to solve this, could do so here |
authorization header |
missing | no cookie jar implemented here currently to do so |
http: |
won't fix | use https:
|
| cache-control | won't fix | this saves the state at the time of running the script, expiration won't break your program |
import.meta.url |
won't fix | this points to the local file, it won't point to a dynamic server URL. This means some asset management won't work such as using fetch. This however prevents potential problems with missing assets only working sometimes or being vulnerable to manipulation compared to the cache |