Context Navigation

← Previous Ticket
Next Ticket →

#29490 closed New feature (fixed)

Subresource integrity for form assets

Reported by:	Meiyer	Owned by:	Claude Paroz
Component:	Forms	Version:	dev
Severity:	Normal	Keywords:
Cc:		Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	yes
Needs tests:	yes	Patch needs improvement:	yes
Easy pickings:	no	UI/UX:	no

Description

SRI gives the web site author some guarantees that an external resource (typically, a script), included within the web page, has not been altered. For example, various external libraries are loaded from a CDN or another third-party repository, implicitly trusting that repositories’ security, but these libraries can be modified or tampered with to include malicious code, with the web site author not aware that this malicious code is now running on their web site in the context of their own web application. SRI prevents the loading of such resources if they were modified.

SRI is implemented by the means of the “integrity” attribute on the <LINK> and <SCRIPT> HTML elements. It is relevant to Django, because the form assets (“Media”) may point to resources on external repositories. But Django does not allow any way to specify the “integrity“ attribute (and the “crossorigin” attribute) for the assets of the forms.

I suggest modifying the Media class definitions such that the assets are not a simple list but a dict (with keys such as src, integrity, crossorigin), resulting in corresponding HTML elements being rendered appropriately. There can be a fallback to the simpler case when a list or tuple is provided, for backwards-compatibility.

Change History (8)

comment:1 by Claude Paroz, 6 years ago

Triage Stage:	Unreviewed → Accepted

comment:2 by Tim Graham, 6 years ago

I'd say maybe. There's also some thought in #22298 to deprecate the Media class.

comment:3 by Claude Paroz, 6 years ago

Based on what I suggested in #29586 and this discussion, here's what could be a possible implementation (still WIP):
https://github.com/claudep/django/commit/89aa4c04dbffcbafc05c3e2053b2262be8de4d3d

Considering it was suggested the original proposal should be first implemented as a 3rd party app, I don't want to go further without a green light for integrating such an implementation to Django.

comment:4 by Claude Paroz, 3 years ago

Has patch:	set

In this new PR, I tried adding the minimal possible support in Django to allow for some custom rendering of form media. This would allow people to add basic support for custom attributes, as demonstrated by the implementation supporting integrity in tests.

comment:5 by Mariusz Felisiak, 3 years ago

Owner:	changed from nobody to Claude Paroz
Status:	new → assigned

comment:6 by Mariusz Felisiak, 3 years ago

Triage Stage:	Accepted → Ready for checkin

comment:7 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

Resolution:	→ fixed
Status:	assigned → closed

In 4c76ffc2:

Fixed #29490 -- Added support for object-based Media CSS and JS paths.

comment:8 by Johannes Maron, 2 weeks ago

Needs documentation:	set
Needs tests:	set
Patch needs improvement:	set

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues