django-pipeline Build in support for Subresource Integrity

Build in support for Subresource Integrity

Open jensenbox opened this issue 9 years ago • 10 comments

http://githubengineering.com/subresource-integrity/

Sounds like an easy enough thing to add.

Sep 18 '15 20:09 jensenbox

Oct 01 '15 22:10 joshowen

Not sure it's that easy, but a pull request is welcome!

Oct 12 '15 20:10 cyberdelia

@cyberdelia I'd like to give this a shot, any pointers as to where I could start?

Jan 13 '16 14:01 skorokithakis

@pmclanahan and me are interested in that as well after talking to @fmarier a bit (spec coauthor).

Jan 14 '16 11:01 jezdez

+1 I looked at this a bit but was pulled away by work. It shouldn't be too bad, but the code in this area is a bit confusing, and there is a decision to make about where and how to store the hash since it's not the same as the one from Django.

Jan 14 '16 13:01 pmclanahan

What do you mean by that? Which hash does Django use, and where? Also, couldn't this hash be put in the manifest?

Jan 14 '16 13:01 skorokithakis

I mean it depends on you using ManifestFilesMixin or CachedFilesMixin, but you don't have to use those, and those use sha1 anyway which isn't supported by the spec. I guess you're right though that we'd have to require the use of a manifest to support this feature.

Jan 14 '16 16:01 pmclanahan

Why not change the hashing algorithm? Does anyone rely on it?

Jan 14 '16 16:01 skorokithakis

Could override it here probably, but that'd be a change to Django, and for the use in Django staticfiles app it really doesn't need any more than sha1. It might land if someone did it though.

Jan 14 '16 17:01 pmclanahan

I'm want to implement this for our project. Has anyone done any work they want to share already or I can just launch in..

May 29 '17 01:05 eoinof

django-pipeline django-pipeline copied to clipboard

Build in support for Subresource Integrity

django-pipeline
django-pipeline copied to clipboard