id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
29490	Subresource integrity for form assets	Meiyer	Claude Paroz	"[https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity SRI] gives the web site author some guarantees that an external resource (typically, a script), included within the web page, has not been altered. For example, various external libraries are loaded from a CDN or another third-party repository, implicitly trusting that repositories’ security, but these libraries can be modified or tampered with to include malicious code, with the web site author not aware that this malicious code is now running on their web site in the context of their own web application. SRI prevents the loading of such resources if they were modified.

SRI is implemented by the means of the “integrity” attribute on the `<LINK>` and `<SCRIPT>` HTML elements. It is relevant to Django, because the form assets (“Media”) may point to resources on external repositories. But Django does not allow any way to specify the [https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity#Using_Subresource_Integrity “integrity“ attribute] (and the [https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_settings_attributes “crossorigin” attribute]) for the assets of the forms.

I suggest modifying the `Media` [https://docs.djangoproject.com/en/2.0/topics/forms/media/#assets-as-a-static-definition class definitions] such that the assets are not a simple list but a `dict` (with keys such as `src`, `integrity`, `crossorigin`), resulting in corresponding HTML elements being rendered appropriately. There can be a fallback to the simpler case when a `list` or `tuple` is provided, for backwards-compatibility."	New feature	closed	Forms	dev	Normal	fixed			Ready for checkin	1	1	1	1	0	0