Add SRI (Subresource Integrity) hash to CDN script tags

ddworken · ddworken · commit d0d449e45110 · 2025-05-02T11:27:03.000-07:00
When include_plotlyjs='cdn', the generated HTML now includes an integrity
attribute with a SHA256 hash of the bundled plotly.js content. This provides
enhanced security by ensuring the browser verifies the integrity of the
CDN-served file.

- Added _generate_sri_hash() function to create SHA256 hashes
- Modified CDN script tag generation to include integrity and crossorigin attributes
- Added comprehensive tests to verify SRI functionality
- Updated existing tests to account for new script tag format
diff --git a/plotly/io/_html.py b/plotly/io/_html.py
@@ -1,6 +1,8 @@
 import uuid
 from pathlib import Path
 import webbrowser
+import hashlib
+import base64
 
 from _plotly_utils.optional_imports import get_module
 from plotly.io._utils import validate_coerce_fig_to_dict, plotly_cdn_url
@@ -9,6 +11,14 @@
 _json = get_module("json")
 
 
+def _generate_sri_hash(content):
+    """Generate SHA256 hash for SRI (Subresource Integrity)"""
+    if isinstance(content, str):
+        content = content.encode('utf-8')
+    sha256_hash = hashlib.sha256(content).digest()
+    return 'sha256-' + base64.b64encode(sha256_hash).decode('utf-8')
+
+
 # Build script to set global PlotlyConfig object. This must execute before
 # plotly.js is loaded.
 _window_plotly_config = """\
@@ -252,11 +262,17 @@ def to_html(
     load_plotlyjs = ""
 
     if include_plotlyjs == "cdn":
+        # Generate SRI hash from the bundled plotly.js content
+        plotlyjs_content = get_plotlyjs()
+        sri_hash = _generate_sri_hash(plotlyjs_content)
+        
         load_plotlyjs = """\
         {win_config}
-        <script charset="utf-8" src="{cdn_url}"></script>\
+        <script charset="utf-8" src="{cdn_url}" integrity="{integrity}" crossorigin="anonymous"></script>\
     """.format(
-            win_config=_window_plotly_config, cdn_url=plotly_cdn_url()
+            win_config=_window_plotly_config, 
+            cdn_url=plotly_cdn_url(),
+            integrity=sri_hash
         )
 
     elif include_plotlyjs == "directory":
diff --git a/tests/test_core/test_offline/test_offline.py b/tests/test_core/test_offline/test_offline.py
@@ -37,7 +37,7 @@
 <script type="text/javascript">\
 window.PlotlyConfig = {MathJaxConfig: 'local'};</script>"""
 
-cdn_script = '<script charset="utf-8" src="{cdn_url}"></script>'.format(
+cdn_script = '<script charset="utf-8" src="{cdn_url}"'.format(
     cdn_url=plotly_cdn_url()
 )
 
diff --git a/tests/test_io/test_html.py b/tests/test_io/test_html.py
@@ -7,6 +7,8 @@
 import plotly.graph_objs as go
 import plotly.io as pio
 from plotly.io._utils import plotly_cdn_url
+from plotly.offline.offline import get_plotlyjs
+from plotly.io._html import _generate_sri_hash
 
 
 if sys.version_info >= (3, 3):
@@ -46,3 +48,37 @@ def test_html_deterministic(fig1):
     assert pio.to_html(fig1, include_plotlyjs="cdn", div_id=div_id) == pio.to_html(
         fig1, include_plotlyjs="cdn", div_id=div_id
     )
+
+
+def test_cdn_includes_integrity_attribute(fig1):
+    """Test that the CDN script tag includes an integrity attribute with SHA256 hash"""
+    html_output = pio.to_html(fig1, include_plotlyjs="cdn")
+    
+    # Check that the script tag includes integrity attribute
+    assert 'integrity="sha256-' in html_output
+    assert 'crossorigin="anonymous"' in html_output
+    
+    # Verify it's in the correct script tag
+    import re
+    cdn_pattern = re.compile(r'<script[^>]*src="' + re.escape(plotly_cdn_url()) + r'"[^>]*integrity="sha256-[A-Za-z0-9+/=]+"[^>]*>')
+    match = cdn_pattern.search(html_output)
+    assert match is not None, "CDN script tag with integrity attribute not found"
+
+
+def test_cdn_integrity_hash_matches_bundled_content(fig1):
+    """Test that the SRI hash in CDN script tag matches the bundled plotly.js content"""
+    html_output = pio.to_html(fig1, include_plotlyjs="cdn")
+    
+    # Extract the integrity hash from the HTML output
+    import re
+    integrity_pattern = re.compile(r'integrity="(sha256-[A-Za-z0-9+/=]+)"')
+    match = integrity_pattern.search(html_output)
+    assert match is not None, "Integrity attribute not found"
+    extracted_hash = match.group(1)
+    
+    # Generate expected hash from bundled content
+    plotlyjs_content = get_plotlyjs()
+    expected_hash = _generate_sri_hash(plotlyjs_content)
+    
+    # Verify they match
+    assert extracted_hash == expected_hash, f"Hash mismatch: expected {expected_hash}, got {extracted_hash}"

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@`
`37`	`37`	`<script type="text/javascript">\`
`38`	`38`	`window.PlotlyConfig = {MathJaxConfig: 'local'};</script>"""`
`39`	`39`
`40`		`-cdn_script = '<script charset="utf-8" src="{cdn_url}"></script>'.format(`
	`40`	`+cdn_script = '<script charset="utf-8" src="{cdn_url}"'.format(`
`41`	`41`	`cdn_url=plotly_cdn_url()`
`42`	`42`	`)`
`43`	`43`