Add an integrity attribute to a script added to django admin

I have been adding some custom js to a django admin form. This involves importing a third party library.

As it is possible to include a third party <script> it should be possible, due to security concerns, to add an integrity check to it, otherwise, I am forced to keep a local copy of the library.

In my opinion, the js attribute, that is a tuple of strings representing the src of the lib, should also take dictionaries in the shape

    'src': 'somelib.js',
    'integrity': 'sha256-xxxXXxxXXXXXx'

Form Assets (the Media class) | Django documentation | Django

This does not seem to be possible at the moment, but can cause developers to import unsafe scripts, creating a vector for XSS attacks.

Django can’t (shouldn’t?) do this on the server side because those scripts don’t get retrieved by the server. The references are shipped as script tags to the browser - it’s the browser that is retrieving that code.

Therefore, you would need to add some other JavaScript to that page to perform that validation, and any data supplied would need to work with it.

(Is there such a tool that exists already? If so, you may be able to integrate it.)

Hello, and thanks for you reply.

I’m aware this happens in the browser, however, it is the Django admin that is ultimately providing a way to embed in the served html document a <script> tag linking to a third party lib, and providing no means to use this same mechanism to secure this dependency.

This integrity check is not performed (and should not be performed) by any script, but by the browser itself, see the “subresource integrity” section of this document. Third Party Javascript Management - OWASP Cheat Sheet Series

The value of the integrity tag is a checksum of the library that is expected to be downloaded, and it has to be set to what the dev that included the script expects it to be, so they do not allow the execution of a modified version that has not been checked for vulnerabilities/malicious code.

I wasn’t aware of the integrity attribute of the script tag - cool.

Django now does provide a facility where you can construct your own script tag for supplemental assets - see Paths as objects. I would think you could leverage this facility for doing that.

1 Like

Thank you very much indeed !