realorangeone / django-sri Goto Github PK

We have an issue in production where the sri_static cannot find files on disk. On further inspection this appears to occur when we have run collectstatic to move files from STATICFILES_DIRS to STATIC_ROOT and then deleted the source files, which we do in production environments.

1. Edit source JS in /frontend/src
2. Run yarn build to process frontend app into /frontend/dist (STATICFILES_DIRS)
3. Run collectstatic to copy files to /frontend/staticfiles (STATIC_ROOT)**
4. Delete /frontend/dist

In this situation, at runtime, sri.utils.get_static_path will not find a source file, as it is using the django.contrib.staticfiles.finders.find function, which uses the STATICFILES_FINDERS, which are looking for source files, not the collected static output.

When running in product the finder should be looking in STATIC_ROOT, not STATICFILES_DIRS?

** Although we build the JS frontend into /dist, we need to scoop up all of the other app assets (e.g. admin), so we have to run collectstatic after we build the JS.

When validating the output with the W3C validator a warning is raised for "Warning: The type attribute is unnecessary for JavaScript resources."

It would be good to be able to suppress this in the output?

Dependabot couldn't authenticate with https://pypi.python.org/simple/.

You can provide authentication details in your Dependabot dashboard by clicking into the account menu (in the top right) and selecting 'Config variables'.

View the update logs.

Hi, I just installed the package and set up according to the documentation by adding 'sri' to INSTALLED_APP, and set USE_SRI equal to True (cause my project still in development), but I still getting this error. I have no idea which part I've done wrong. Please help!

This may be very niche, but we have a situation where we need the local cache to have a very short timeout. If we could pass this in as a setting (it's for local dev only), that would be really helpful. I'll raise a PR.

Hi,
Would it be possible to make django-sri work with preload, defer (or async) attribute ?

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update dependency ruff to v0.0.257
• Update dependency black to v23

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Hi, I'm trying to use this package in combination with whitenoise. every time I launch my app the browser always refuses to load my static files with the error "filed to find a valid digest in the 'integrity' attribute for resource ". so far I have tested this package on 5 of my CSS files, 1 bootstrap.css + 3 fontawesome.css + 1 my-site.css. Out of those 5 files, only bootstrap.css is loaded by the browser, the remaining are refused. After a little bit of investigation, I found that the integrity attribute's value outputted in the HTML is different from the one being evaluated by the browser. For example,
index.html

<link crossorigin="anonymous" href="/static/home/css/my-site.css" integrity="sha512-GG4sC/4GQsd1r0sXkr0I6cwTZCB1upbMybxD3agscaBX8BOX9IQQyfOqZfX//Z49t2e0u5NbbnBDO6ABGnCtUQ==" rel="stylesheet" type="text/css"/>
<link crossorigin="anonymous" href="/static/fonts/fontawesome-all.min.css" integrity="sha512-HHwKq7saKrGPCHieLofpt4AsI/OYFTVsra9mBimKDJeM//F4yP35Tms3Tj+QetdJgcPxedlzWC2w2qDSdGMujw==" rel="stylesheet" type="text/css"/>

console log

127.0.0.1/:1 Failed to find a valid digest in the 'integrity' attribute for resource 'http://127.0.0.1:8000/static/home/css/my-site.css' with computed SHA-512 integrity 'VQzFTxndLuJU0O201uJZbuSKtlF6RmM/G2LieKu+UB2XM36D4p6lFSK9CRqXb9S/FVLmelzW5q/te2Rq/J2oGw=='. The resource has been blocked.
127.0.0.1/:1 filed to find a valid digest in the 'integrity' attribute for resource 'http://127.0.0.1:8000/static/fonts/fontawesome-all.min.css' with computed SHA-512 integrity '0FCInaWP5g0YTtgrftFRJrLPwUPsAwGLYAEbhhmOyleGWfxiseFAuV4ifxaekiQ1luaRZ7amW8fPIo96ijocUQ=='. The resource has been blocked.

What I've tried to solve the issue:

1. Clear browser data
2. Forced refresh (Ctrl+F5)
3. Disable my browser extensions
4. Removing third-party javascript, I was suspecting one of the scripts altering my CSS files
5. I also add a print statement in your calculate_integrity function, the values are the same as the values outputted in the HTML

The only solution that actually fixed my problem is removing whitenoise package. Yet in your documentation you say

"Does this work with whitenoise or alike?"
Yes. django-sri outputs the static file URL in the same way the builtin static template tag does. This means the correct cachebusted URLs are output.

When using a manifest STATICFILES_STORAGE, django-sri will automatically retrieve the hashed and post-processed file as opposed to the original.

Here is my setting.py

DEBUG = True
INSTALLED_APPS = [
    .....
    'whitenoise.runserver_nostatic', #for local development
    'django.contrib.staticfiles',
    .....
    'sri',
]

MIDDLEWARE = ['django.middleware.security.SecurityMiddleware',
              'whitenoise.middleware.WhiteNoiseMiddleware',
              .......
              ]

STATIC_ROOT = os.path.join(BASE_DIR, 'staticfiles')
STATIC_URL = "/static/"

STATICFILES_DIRS = [
    BASE_DIR / "static",
]

MEDIA_URL = 'media/'
MEDIA_ROOT = os.path.join(BASE_DIR, 'media')

STORAGES = {
    "default": {
        "BACKEND": "django.core.files.storage.FileSystemStorage",
    },
    'staticfiles': {
        "BACKEND": "whitenoise.storage.CompressedManifestStaticFilesStorage",
    }
}

USE_SRI = True

Is there anything I did wrong?

Hello,

I encoutered a bug with the following file: https://sparte.beta.gouv.fr/static/carto/css/leaflet.css

Provided hash with static_sri : y4gDEU/pxJrmohmEZFiWzZiKDba4qNsDmUTkUJjIN5U=
Expected hash : BPfK9M5v34c2XP6p0cxVz1mUQLst0gTLk0mlc7kuodA= (computed by chrome)

I am unsure on how this is possible, I am looking into it but with no result yet.

Swann