Currently, not subresource integrity is used. If jsdelivr is compromised, or it serves malicious JavaScript for some reason, that malicious JavaScript is executed in every Playground.
I think it's a small risk. The probability that jsdelivr is compromised is pretty small, and the Playground is more a developer tool than a production tool. Using SRI can eliminiate this risk. Of course, you would also need explicit versioning, so that the hash always corresponds with the contents of the JavaScript file.
What steps may we take to reproduce the behavior?
Hack jsdelivr.
Serve malicious JavaScript instead of the Playground middleware.
This issue pertains to the following package(s):
What OS and OS version are you experiencing the issue(s) on?
Not applicable.
What version of graphql-playground(-electron/-middleware) are you experiencing the issue(s) on?
I have seen this in the included GraphQL playground on ariadne.contrib.django, but I don't think it's specific to that.
What is the expected behavior?
I expect GraphQL Playground to specify a subresource integrity hash when loading it's external JavaScript. The HTML file contains the following:
It would be nice if that contained a hash, so that the Playground only loads code that can be trusted:
What is the actual behavior?
Currently, not subresource integrity is used. If jsdelivr is compromised, or it serves malicious JavaScript for some reason, that malicious JavaScript is executed in every Playground.
I think it's a small risk. The probability that jsdelivr is compromised is pretty small, and the Playground is more a developer tool than a production tool. Using SRI can eliminiate this risk. Of course, you would also need explicit versioning, so that the hash always corresponds with the contents of the JavaScript file.
What steps may we take to reproduce the behavior?