Subresource Integrity

Hi there ,

I am just updating my annual “security in Django” Xmas talk slides to include CSP. Wonderful effort, loved Django-DSP and love even more that security is still on the fast track in Django.

Now, with DSP taken care of, should we tackle subresource integrity next?

It’s fairly similar concept, and since I snuck script-tags into Django 5.2, it might just be in grasps.

With supply chain attacks climbing to 3rd place on the OWASP ranking, I believe it might be a commendable effort.

“trust me bro”-ing vendors is a great, but I’d love sha512 hashes, just in case

I’d be happy to help, having had some experience with subresource integrity in importmaps with esimport.

Cheerio!
Joe

What would this even entail? Afaiu, if you write a <script> or a Script for a third-party resource, you can already provide the hash, and you don’t need them for your own resources (as managed by django.contrib.staticfiles).

Also, even with SRI there are many good reasons to avoid JavaScript CDNs, so I’m not sure how much we want to “support” this pattern.

Hi Adam,

100%, CDNs are an invitation for supply chain attacks. At least with integrity hashes, it’s probably equally as secure as npmjs. To be fair, both npm and PyPi have put serious effort into fixing this with 2FA and OIDC trust chains. There are also CDNs that only build from GitHub directly, making dist injections less likely.

Anyhow, I always vendor my dependencies too, but the second you use a CDN (which you might need to), supply chain integrity becomes an issue again.

Now to the how:

First, Safari doesn’t support the header yet… of course it doesn’t… but the integrity argument on script tags and importmaps has baseline support.

Yes, Django’s ManifestStaticFilesStorage already creates hashes, but md5. This would need to be at least sha384 or better sha512. They compute a little slower, but nothing compared to Brotli compression. Anyhow, static file collection is certainly the best place to generate lock integrity hashes.

So my best guess, without having done the actual work yet, would be a new middleware and an extension of the staticfile backends. Something like this StaticFilesStorage.integrity(name: str)

We could EAFP the new method for very gentle backwards compatibility. Meaning, if the backend provides an integrity method, it’s rendered into form media, otherwise it isn’t.

Most of this could be done in a separate package, except for the actual rendering part. Maybe that’s a good place to start. Only implement the if the backend has an integrity we render it and leave the rest for 3rd parties for now until more maturity is reached.

Those would be my two cents about this.

Best
Joe

As a 3rd-party solution, I’ve been maintaining django-sri for a few years which adds SRI support. It’s not as well integrated as a 1st-party solution could be, but it at least lets you use it:

SRI can still have benefits beyond including 3rd-party scripts.

love it! Thanks for maintaining this, and now you have another sponsor!

I’ll be working on #36784 (Add CSP support to Django's script object and media objects) – Django next. We should make sure this is implemented with integrity in mind. I’d be cool if Django’s form assets automagically got an integrity attribute assigned to promote a secure practice.

Care to join forces in this quest?