I have been adding some custom js to a django admin form. This involves importing a third party library.
As it is possible to include a third party <script> it should be possible, due to security concerns, to add an integrity check to it, otherwise, I am forced to keep a local copy of the library.
In my opinion, the js attribute, that is a tuple of strings representing the src of the lib, should also take dictionaries in the shape
Django can’t (shouldn’t?) do this on the server side because those scripts don’t get retrieved by the server. The references are shipped as script tags to the browser - it’s the browser that is retrieving that code.
Therefore, you would need to add some other JavaScript to that page to perform that validation, and any data supplied would need to work with it.
(Is there such a tool that exists already? If so, you may be able to integrate it.)
I’m aware this happens in the browser, however, it is the Django admin that is ultimately providing a way to embed in the served html document a <script> tag linking to a third party lib, and providing no means to use this same mechanism to secure this dependency.
The value of the integrity tag is a checksum of the library that is expected to be downloaded, and it has to be set to what the dev that included the script expects it to be, so they do not allow the execution of a modified version that has not been checked for vulnerabilities/malicious code.
I wasn’t aware of the integrity attribute of the script tag - cool.
Django now does provide a facility where you can construct your own script tag for supplemental assets - see Paths as objects. I would think you could leverage this facility for doing that.