Proposal: Dynamic attrs #166
Conversation
| Ok let's not do this. |
| Hi @prayerslayer , did you try a CHIP component instead of HTML ? It's also isomorphic so you could bind callbacks that take dom objects in pure python 😂 |
| <img src="{% webpack_static 'my-image.png' 'APP2'%}"/> | ||
| <div id="react-app"></div> | ||
| {% render_bundle 'main' 'js' attrs='async charset="UTF-8"'%} | ||
| {% render_bundle 'main' 'js' attrs='async nonce="{{ CSP_NONCE }}" charset="UTF-8"'%} |
There was a problem hiding this comment.
I recon it turns out hard to read, it took me a few minutes to figure how it compiled, but i recon at that time of the day i'm a bit tired :weed:
Did you try using a plain variable ?
{% render_bundle 'main' 'js' attrs='async nonce="' + CSP_NONCE +'" charset="UTF-8"' %} In Jinja you could set CSP_NONCE in a global variable, for django templates a context processor (we use jinja2, but looking forward to try a migration to CHIP and drop all templates in favor of programable, isomorphic components, that also removes the need for React some say 😂)
| Thanks for your suggestions! I didn't bother more about the particular nonce use case, because it turns out you need those only for inline scripts, which this project doesn't generate in the first place :) But maybe the proposed techniques can be used to support SRI, I'll need to check. |
2 participants
Hi there. This isn't intended to be merged, but I'd like to start a discussion about it.
So I really like django-webpack-loader. However a limitation that I see are the static
attrs, ie. HTML attributes. They work fine for situations like async/defer etc., but there are more.When you look e.g. at the Content Security Policy spec (tldr: basically a host whitelist for your web app), you see different options to handle scripts, e.g. you can disallow inline scripts. But you can also configure CSP to allow inline scripts only when an attribute on them matches a random value ("nonce") from your server. (This is to be sure that it wasn't inserted by an attacker.)
Another situation would be Subresource Integrity, where instead of the nonce you use a checksum of the file. (This is to prevent your CDN from changing your code.)
Advanced usage of preload attributes could be another case where you'd want to have dynamic attributes. Anyways, I hope I convinced you by now.
As for this POC, it's not very pretty, but a start. It basically changes
attrsto be a template which gets rendered with the request context. This solves my first issue with the CSP nonce (from mozilla/django-csp). I'm not sure how one would implement dynamic attributes on a chunk (SRI from above) or request basis (e.g. "preload css only on home page"). If you would be inclined to give me some pointers and merge this in the end, I could continue working on it.Thanks for reading. What do you think?