npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

web-bootloader

v1.0.3

Published

prototype bootloader for the offline web.

Downloads

39

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

dominictarrdominictarr

Keywords

Readme

web-bootloader

prototype bootloader for the offline web.

The goal of this module is to allow an offline web app to be securely loaded, and then later updated, without exposing a backdoor to the server.

other modules exploring this space:

  • https://github.com/substack/hyperboot
  • https://github.com/substack/slugboot
  • https://github.com/feross/infinite-app-cache

A web app is an app that is reinstalled every time it is run. Appcache & ServiceWorker allow a webapp to become an app with an automatic updater, that updates when a new version is available. But an autoupdater is essentially a backdoor. It can be used to add security, but it can also take it away.

We want to take that away - so that the user can have control over the update process. Then we can be secure even if the server is compromised.

Making the bootloader secure also makes it more difficult to update. For this reason, it's very important that the bootloader is as simple as possible.

bootload process

web-bootloader supports loading a single javascript file, that must have an expected hash.

When the page loads, web-bootloader checks whether the url hash fragment (after #) is a url containing a base64 hash. urls without a hash are not supported. If the app already has a copy of that file, it loads from local copy. Else, a the new code is loaded from the url, if the response does not have the correct hash, the response is discarded, and the previous version is run.

pseudocode

//secure_url is a url containing a hash.
//this tells where to get the js bundle,
//and also what it must be.

if(secure_url) {
  //extract hash from url.
  var id = getHash(secure_url)
  //check if we already know this.
  if(store[id])
    run(id)
  else
    load(secure_url, function (err, src) {
      if(id != hash(src))
        fail('corrupt response')
      else {
        store[id] = src
        run(id)
      }
    })
}
else if(store.current_version) {
  run(store.current_version)
}
else
  usage()

user stories

invite codes

Alice shares wants to invite Bob to join the p2p revolution. she generates an invite code, and creates a link containing the address of a server hosting web-bootloader a secure url containing the alice's recommended UI version, and the invite code. Alice sends this to Bob via a legacy channel (email, twtr, etc)

Bob clicks on that link. his browser first loads the web-bootloader script, which then loads the secure url, which then uses the invite code to join the network.

Now Bob is cryptographically linked into the network.

manual updates

Alice has been hacking on a new feature for her prefered UI client. she creates a new js bundle and publishes it as a blob. Then she posts a message announcing the new version, containing the link. Bob (or anyone else) can then click on that link to load that version as their client.

automatic updates

Bob thinks the work Alice is doing is great, but doesn't want to bother manually updating. He just subscribes to her updates (for a given app), and his client updates itself.

temporary update

Charlie is writing an app similar to Alice's. Alice wants to try it out, but not necessarily to use that as her main thing. This means Alice needs to have a option at somepoint when loading the app to choose either not to persist the version, or just to run one version.

as long as it's possible to manage versions, then Alice can select which version she wants to run, and remove versions she no longer wants/needs.

License

MIT