[Django] #29490: Subresource integrity for form assets

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[Django] #29490: Subresource integrity for form assets

Django
#29490: Subresource integrity for form assets
---------------------------------------+------------------------
               Reporter:  Meiyer       |          Owner:  nobody
                   Type:  New feature  |         Status:  new
              Component:  Forms        |        Version:  master
               Severity:  Normal       |       Keywords:
           Triage Stage:  Unreviewed   |      Has patch:  0
    Needs documentation:  0            |    Needs tests:  0
Patch needs improvement:  0            |  Easy pickings:  0
                  UI/UX:  0            |
---------------------------------------+------------------------
 [https://developer.mozilla.org/en-
 US/docs/Web/Security/Subresource_Integrity SRI] gives the web site author
 some guarantees that an external resource (typically, a script), included
 within the web page, has not been altered. For example, various external
 libraries are loaded from a CDN or another third-party repository,
 implicitly trusting that repositories’ security, but these libraries can
 be modified or tampered with to include malicious code, with the web site
 author not aware that this malicious code is now running on their web site
 in the context of their own web application. SRI prevents the loading of
 such resources if they were modified.

 SRI is implemented by the means of the “integrity” attribute on the
 `<LINK>` and `<SCRIPT>` HTML elements. It is relevant to Django, because
 the form assets (“Media”) may point to resources on external repositories.
 But Django does not allow any way to specify the
 [https://developer.mozilla.org/en-
 US/docs/Web/Security/Subresource_Integrity#Using_Subresource_Integrity
 “integrity“ attribute] (and the [https://developer.mozilla.org/en-
 US/docs/Web/HTML/CORS_settings_attributes “crossorigin” attribute]) for
 the assets of the forms.

 I suggest modifying the `Media`
 [https://docs.djangoproject.com/en/2.0/topics/forms/media/#assets-as-a
 -static-definition class definitions] such that the assets are not a
 simple list but a `dict` (with keys such as `src`, `integrity`,
 `crossorigin`), resulting in corresponding HTML elements being rendered
 appropriately. There can be a fallback to the simpler case when a `list`
 or `tuple` is provided, for backwards-compatibility.

--
Ticket URL: <https://code.djangoproject.com/ticket/29490>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/052.4acd3484d842e90614b0fd421f3f1fa6%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #29490: Subresource integrity for form assets

Django
#29490: Subresource integrity for form assets
-----------------------------+------------------------------------
     Reporter:  Meiyer       |                    Owner:  nobody
         Type:  New feature  |                   Status:  new
    Component:  Forms        |                  Version:  master
     Severity:  Normal       |               Resolution:
     Keywords:               |             Triage Stage:  Accepted
    Has patch:  0            |      Needs documentation:  0
  Needs tests:  0            |  Patch needs improvement:  0
Easy pickings:  0            |                    UI/UX:  0
-----------------------------+------------------------------------
Changes (by Claude Paroz):

 * stage:  Unreviewed => Accepted


--
Ticket URL: <https://code.djangoproject.com/ticket/29490#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/067.e6769cee93215bacea6b8fd22f1f2e54%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #29490: Subresource integrity for form assets

Django
In reply to this post by Django
#29490: Subresource integrity for form assets
-----------------------------+------------------------------------
     Reporter:  Meiyer       |                    Owner:  nobody
         Type:  New feature  |                   Status:  new
    Component:  Forms        |                  Version:  master
     Severity:  Normal       |               Resolution:
     Keywords:               |             Triage Stage:  Accepted
    Has patch:  0            |      Needs documentation:  0
  Needs tests:  0            |  Patch needs improvement:  0
Easy pickings:  0            |                    UI/UX:  0
-----------------------------+------------------------------------

Comment (by Tim Graham):

 I'd say maybe. There's also some thought in #22298 to deprecate the
 `Media` class.

--
Ticket URL: <https://code.djangoproject.com/ticket/29490#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/067.b49206287296a4bb4603da6e00a5e39d%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #29490: Subresource integrity for form assets

Django
In reply to this post by Django
#29490: Subresource integrity for form assets
-----------------------------+------------------------------------
     Reporter:  Meiyer       |                    Owner:  nobody
         Type:  New feature  |                   Status:  new
    Component:  Forms        |                  Version:  master
     Severity:  Normal       |               Resolution:
     Keywords:               |             Triage Stage:  Accepted
    Has patch:  0            |      Needs documentation:  0
  Needs tests:  0            |  Patch needs improvement:  0
Easy pickings:  0            |                    UI/UX:  0
-----------------------------+------------------------------------

Comment (by Claude Paroz):

 Based on what I suggested in #29586 and
 [https://groups.google.com/forum/#!msg/django-
 developers/KYmNnvwXDUI/5zfPx27OBwAJ this discussion], here's what could be
 a possible implementation (still WIP):
 https://github.com/claudep/django/commit/89aa4c04dbffcbafc05c3e2053b2262be8de4d3d

 Considering it was suggested the original proposal should be first
 implemented as a 3rd party app, I don't want to go further without a green
 light for integrating such an implementation to Django.

--
Ticket URL: <https://code.djangoproject.com/ticket/29490#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/067.dbe90ef23143af53a7c4c8ac7ee8f1fe%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.