On production source maps must be protected from unauthorised users. The simplest way to do it is to serve them separately and use any kind of authentication, restriction by IP or something of a kind.

But webpack always places source map files within output dir and uses relative paths as urls for them.

There is no way to generate source maps beyond of output dir, the only option is to specify something like sourceMapFilename='srcmaps/[file].map' and move srcmaps directory to some other place as a post-build step.

But there will be a problem with source map urls then. One can use plugin constructor arguments to override sourceMappingURLComment, but [url] will be substituted with a relative path including number of ../ which prevents possibility to prefix it with something indicating where source maps will be served from.

E.g. SourceMapDevToolPlugin('srcmaps/[file].map', '\n//# sourceMappingURL=/secretplace/[url]') will not work because for a/b/c/d/e.js sourceMappingURL will be /secretplace/../../../../srcmaps/a/b/c/d/e.js.map while we need /secretplace/srcmaps/a/b/c/d/e.js.map

Basically, we need:

• Ability to use something like [url] equivalent for sourceMappingURLComment, but providing a path relative to content root instead of js file location
• A way to specify output directory for source maps independent of output path for all other content (to avoid post-build moving step)
• Ideally, a little bit more convenient way to specify sourceMappingURL template than by using sourceMappingURLComment argument

P.S. I understand that source map files can be protected while still being located within common output dir, but it is dangerous, because if you forget to serve source maps located elsewhere you would just have a production server without source maps, but if you forget to protect deployed source maps you will expose sources to everyone.