I have been adding some custom js to a django admin form. This involves importing a third party library.
As it is possible to include a third party
<script> it should be possible, due to security concerns, to add an integrity check to it, otherwise, I am forced to keep a local copy of the library.
In my opinion, the js attribute, that is a tuple of strings representing the src of the lib, should also take dictionaries in the shape
Form Assets (the Media class) | Django documentation | Django
This does not seem to be possible at the moment, but can cause developers to import unsafe scripts, creating a vector for XSS attacks.
Django can’t (shouldn’t?) do this on the server side because those scripts don’t get retrieved by the server. The references are shipped as
script tags to the browser - it’s the browser that is retrieving that code.
(Is there such a tool that exists already? If so, you may be able to integrate it.)
Hello, and thanks for you reply.
I’m aware this happens in the browser, however, it is the Django admin that is ultimately providing a way to embed in the served html document a
<script> tag linking to a third party lib, and providing no means to use this same mechanism to secure this dependency.
The value of the integrity tag is a checksum of the library that is expected to be downloaded, and it has to be set to what the dev that included the script expects it to be, so they do not allow the execution of a modified version that has not been checked for vulnerabilities/malicious code.
I wasn’t aware of the
integrity attribute of the
script tag - cool.
Django now does provide a facility where you can construct your own
script tag for supplemental assets - see Paths as objects. I would think you could leverage this facility for doing that.
Thank you very much indeed !