add subresource integrity to css/js

[unuseless]

Allow the creation of a signature for subresource integrity for the created files.
see: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

[sar009]

Any update?

[vulcan25]

I'm trying to work out how to make this work with webassets.

This Python code can generate the hash:

import base64
import hashlib
BUF_SIZE = 65536
def checksum(input):
    hash = hashlib.sha256()
    with open(input, 'rb') as f:
        while True:
            data = f.read(BUF_SIZE)
            if not data:
                break
            hash.update(data)
    hash = hash.digest()
    hash_base64 = base64.b64encode(hash).decode()
    return 'sha256-{}'.format(hash_base64)

To test this I use a link copied with SRI tag from cdnjs, and wget the CSS file to my working directory, then:

>>> checksum('bootstrap-grid.css')
'sha256-cCazLItaM+Zz5UEzu9HNzlgWhXlvknCzjdE45LBeTns='

The hash of this file from the cdnjs provided link tag: integrity="sha256-cCazLItaM+Zz5UEzu9HNzlgWhXlvknCzjdE45LBeTns="

This looks good, but I'm not sure how webassets integration would or should work.

It would be perfect if when I define the link tag:

{% assets "css_all" %}
<link rel="stylesheet" media='screen' href="{{ ASSET_URL }}" />
{% endassets %}

I could then reference a variable like ASSET_SNI.

But there's also the question of where I call the code to generate these hashes in the first place, and where to store them.

[VorpalBlade]

Presumably this should be implemented in the jinja2 extension to expose a new variable (or use the EXTRA variable documented there).

[VorpalBlade]

I have a POC implementation, which I will extend with unit tests. I will not write any code for django etc, only jinja2 (since it is the only one I can test).

Furthermore, I will not be able to test any versions of Python except 3.7 and 2.7.