[tmoehle]

Generally a good idea, but it’s implementation is not fully thought through.

It’s supposed to be a secure place where secrets are shared, but it comes with Remote Code Executions that are out of the users control. Multiple JavaScript files are loaded from third party hosts to display the page, that would offer a significant attack vectors to your users secrets.

You should both reduce the code dependency on large, external frameworks, as well as verify the necessary files and deliver them from the same host, that already serves the rest of the page (because you‘re going to have to trust that host anyway).

[jotaen]

To be fair, except for vue.global.min.js, all the JS files which OP pulls from third-party hosts are integrity-checked. So unless clients use very outdated browsers that don’t support the `integrity` attribute, the respective third parties wouldn’t be able to start inserting malicious code in the future.

That being said, I agree it’s still a cheap security improvement for OP to control the hosting themselves. (Plus to integrity-check the Vue dependency.)

[psd1]

Hmm.

If we pretend that there are no vulnerabilities today, then the mind turns to what will change in the future.

I tolerate js in the Bitwarden extension because it's necessary, funded, supported and necessary. But Retriever sounds to me like a project that would do better to minimise surface area.