From:  "Fitzgerald, Nick" <>
Date:  11 Jun 2014 00:12:10 Hong Kong Time

Re: Adding checksums to source maps


On 6/9/14, 11:34 PM, Brian Slesinsky wrote:
>   Re: Checksum in file
>> Having the checksum in the URL would help validate that a source map is
>> for that file but I think we’d still need something to verify that the
>> sources are for the source map.
> To clarify, I was thinking of a checksum as an alternative to a URL, rather
> than part of it. The debugger could ignore a given URL and generate its own
> (perhaps to a private server) that includes the checksum, or perhaps the
> debugger wouldn't even use HTTP(S) to fetch the sourcemap. But if the
> debugger does use the given URL, it would probably make sense to pass the
> checksum as well, perhaps as a query parameter or HTTP header. (Since the
> debugger doesn't actually need to do any checksum calculation but just
> hands back what it was given, it's actually more of an opaque token in this
> scenario.)

This use case seems mostly beneficial to internal tools (such as 
deobfuscating client-side error stacks on the server), and I don't feel 
that it really needs to be mentioned and formalized in the source map 
spec the way the `//# sourceMappingURL` comment is.

For the use case where you want to give the use an option to supply 
their own source map but want to warn them if its the wrong one, having 
the hashes in the source map itself is enough.