Support <script integrity= crossorigin=> tags

[westurner]

Is your feature request related to a problem? Please describe.

• Use Case:
  • conf.py: Add a jquery static js asset with app.app_javascript()
    • https://releases.jquery.com/ suggests this <script> tag with extra attributes that aren't yet supported by app.add_javascript(pathurl) is now app.add_js_file(pathurl):

      <script
        src="https://code.jquery.com/jquery-3.7.1.slim.min.js"
        integrity="sha256-kmHvs0B+OpCW5GVHUNjv9rOmY0IvSIRcf7zGUDTDQM8="
        crossorigin="anonymous"></script>

Describe the solution you'd like

• ENH: sphinx.application.add_js_file,add_css_file,: add at least integrity= and crossorigin= kwargs to

  • sphinx/sphinx/application.py

    Line 966 in e352a67

    def add_js_file(self, filename: str | None, priority: int = 500,

  • https://github.com/search?q=repo%3Asphinx-doc%2Fsphinx+add_js_file&type=code
  • https://github.com/search?q=repo%3Asphinx-doc%2Fsphinx+add_css_file&type=code

• ENH,SEC: update all existing code with sri hashes

• ENH: sphinx.builders.html.StandaloneHTMLBuilder,*HTMLBuilder: include integrity= SRI hashes for everything added with add_js_file and add_css_file

  • sphinx/sphinx/builders/html/__init__.py

    Line 341 in e352a67

    def init_js_files(self) -> None:

• DOC: Release Notes: ANN: We should all add integrity= and crossorigin= attrs to our <link> and <script> tags; here's how with Sphinx now

Describe alternatives you've considered

• Rewrite all <link> and <script> tags with SRI hashes

Additional context

• "What are the integrity and crossorigin attributes?"
  https://stackoverflow.com/questions/32039568/what-are-the-integrity-and-crossorigin-attributes/49061277#49061277

• SRI hash:

  • openssl dgst -sha384 -binary FILENAME.js | openssl base64 -A

[jayaddison]

Hi @westurner - does the keyword-argument support in the add_js_file method provide the functionality that you're looking for here?

[westurner]

Almost, I think. Remaining:

• When or how should sphinx's own add_js_files() SRI hash integrity= kwargs be updated?
• Update sphinx dev process to update integrity= kwargs at {dev, build, release}-time
• Possibly add DeprecationWarning or similar if there are no integrity= hashes specifed and idk ignore_missing_sri_hashes = true isn't set in conf.py?

[jayaddison]

Update sphinx dev process to update integrity= kwargs at {dev, build, release}-time

I don't think that sphinx should modify those itself if they're provided as arguments; that would conflict the reason for providing them - to ensure that the correct content is delivered to users. It would be OK for a project to provide either -- or both -- minified and non-minified variants, though, for example. The integrity HTML attribute can contain multiple same-algorithm-digests for the same resource, meaning that a choice of valid contents are considered valid at a point-in-time, and that would support the 'both' provision there.

When or how should sphinx's own add_js_files() SRI hash integrity= kwargs be updated?

I'm not completely certain what you mean by this; do you mean how would integrity values for the built-in theme CSS/JS files from Sphinx itself be generated?

[westurner]

- support min.js variants - auto-hash the built in theme resources yeah - flag to build without any integrity= values for debugging

…

On Sun, Apr 14, 2024, 4:53 PM James Addison ***@***.***> wrote: Update sphinx dev process to update integrity= kwargs at {dev, build, release}-time I don't think that sphinx should modify those itself if they're provided as arguments; that would conflict the reason for providing them - to ensure that the correct content is delivered to users. It would be OK for a project to provide either -- or both -- minified and non-minified variants, though, for example. The integrity HTML attribute can contain multiple same-algorithm-digests for the same resource, meaning that a choice of valid contents are considered valid at a point-in-time, and that would support the 'both' provision there. When or how should sphinx's own add_js_files() SRI hash integrity= kwargs be updated? I'm not completely certain what you mean by this; do you mean how would integrity values for the built-in theme CSS/JS files from Sphinx itself be generated? — Reply to this email directly, view it on GitHub <#12279 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAMNS7T2I4RP7KTZD4LQJTY5LUE5AVCNFSM6AAAAABGGIED2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJUGE4DCMZYG4> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[jayaddison]

• support min.js variants - auto-hash the built in theme resources yeah - flag to build without any integrity= values for debugging

Could you describe some use-case(s) for disabling the integrity attribute? Even in development mode, it's valuable to know that code/scripts/stylesheets haven't been unexpectedly modified.

[westurner]

- live on-disk modification of theme stylesheets (which DevTools works around just fine)

…

On Mon, Apr 15, 2024, 6:24 PM James Addison ***@***.***> wrote: - support min.js variants - auto-hash the built in theme resources yeah - flag to build without any integrity= values for debugging Could you describe some use-case(s) for disabling the integrity attribute? Even in development mode, it's valuable to know that code/scripts/stylesheets haven't been unexpectedly modified. — Reply to this email directly, view it on GitHub <#12279 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAMNSZYQMGYJJ2VQVSDZHTY5RHRTAVCNFSM6AAAAABGGIED2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJXHEYTCOJZG4> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[jayaddison]

• live on-disk modification of theme stylesheets (which DevTools works around just fine)

Given that the developer has local write access to the resources in that scenario, would it be acceptable to temporarily remove the HTML integrity attribute(s) for those resources until editing is completed?

[westurner]

Presumably that's what browsers do with "Local overrides" in DevTools. IDK how necessary it is to optionally omit integrity= hashes for development and testing.

…

On Tue, Apr 16, 2024, 12:35 PM James Addison ***@***.***> wrote: - live on-disk modification of theme stylesheets (which DevTools works around just fine) Given that the developer has local write access to the resources in that scenario, would it be acceptable to temporarily remove the HTML integrity attribute(s) for those resources until editing is completed? — Reply to this email directly, view it on GitHub <#12279 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAMNS4UQEWXBNE3AOG5VXLY5VHLJAVCNFSM6AAAAABGGIED2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJZGUYDCMZTHE> . You are receiving this because you were mentioned.Message ID: ***@***.***>