From 815e724bea3fb21a658162c63cdef1d4535b317a Mon Sep 17 00:00:00 2001
From: Robin Drexler <robin.drexler@shopify.com>
Date: Wed, 21 Oct 2020 18:18:30 -0400
Subject: [PATCH] set approriate crossorigin for js and css preload links

---
 actionview/lib/action_view/helpers/asset_tag_helper.rb | 10 +++++++++-
 actionview/test/template/asset_tag_helper_test.rb      |  7 +++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/actionview/lib/action_view/helpers/asset_tag_helper.rb b/actionview/lib/action_view/helpers/asset_tag_helper.rb
index d976f9b5ce..d92b04f77a 100644
--- a/actionview/lib/action_view/helpers/asset_tag_helper.rb
+++ b/actionview/lib/action_view/helpers/asset_tag_helper.rb
@@ -88,16 +88,20 @@ module ActionView
         path_options = options.extract!("protocol", "extname", "host", "skip_pipeline").symbolize_keys
         preload_links = []
         nopush = options["nopush"].nil? ? true : options.delete("nopush")
+        crossorigin = options.delete("crossorigin")
+        crossorigin = "anonymous" if crossorigin == true
 
         sources_tags = sources.uniq.map { |source|
           href = path_to_javascript(source, path_options)
           unless options["defer"]
             preload_link = "<#{href}>; rel=preload; as=script"
+            preload_link += "; crossorigin=#{crossorigin}" unless crossorigin.nil?
             preload_link += "; nopush" if nopush
             preload_links << preload_link
           end
           tag_options = {
-            "src" => href
+            "src" => href,
+            "crossorigin" => crossorigin
           }.merge!(options)
           if tag_options["nonce"] == true
             tag_options["nonce"] = content_security_policy_nonce
@@ -142,16 +146,20 @@ module ActionView
         options = sources.extract_options!.stringify_keys
         path_options = options.extract!("protocol", "host", "skip_pipeline").symbolize_keys
         preload_links = []
+        crossorigin = options.delete("crossorigin")
+        crossorigin = "anonymous" if crossorigin == true
         nopush = options["nopush"].nil? ? true : options.delete("nopush")
 
         sources_tags = sources.uniq.map { |source|
           href = path_to_stylesheet(source, path_options)
           preload_link = "<#{href}>; rel=preload; as=style"
+          preload_link += "; crossorigin=#{crossorigin}" unless crossorigin.nil?
           preload_link += "; nopush" if nopush
           preload_links << preload_link
           tag_options = {
             "rel" => "stylesheet",
             "media" => "screen",
+            "crossorigin" => crossorigin,
             "href" => href
           }.merge!(options)
           tag(:link, tag_options)
diff --git a/actionview/test/template/asset_tag_helper_test.rb b/actionview/test/template/asset_tag_helper_test.rb
index 831455d728..70189003fc 100644
--- a/actionview/test/template/asset_tag_helper_test.rb
+++ b/actionview/test/template/asset_tag_helper_test.rb
@@ -528,6 +528,13 @@ class AssetTagHelperTest < ActionView::TestCase
     assert_equal expected, @response.headers["Link"]
   end
 
+  def test_should_set_preload_links_with_cross_origin
+    stylesheet_link_tag("http://example.com/style.css", crossorigin: "use-credentials")
+    javascript_include_tag("http://example.com/all.js", crossorigin: true)
+    expected = "<http://example.com/style.css>; rel=preload; as=style; crossorigin=use-credentials; nopush,<http://example.com/all.js>; rel=preload; as=script; crossorigin=anonymous; nopush"
+    assert_equal expected, @response.headers["Link"]
+  end
+
   def test_image_path
     ImagePathToTag.each { |method, tag| assert_dom_equal(tag, eval(method)) }
   end