From 97ec04ac9b923ff9eb68ce51a35150d45105adf1 Mon Sep 17 00:00:00 2001
From: Connor Shea <connor.james.shea@gmail.com>
Date: Mon, 20 Jun 2016 13:38:17 -0600
Subject: [PATCH] Add Subresource Integrity attribute to CSS and JS assets.

This prevents compromised or malicious CDNs from modifying assets. The hash provided by Rails is compared to the hash of the asset the browser has downloaded. The browser will refuse to execute/parse the assets if the hashes don't match. SRI is currently implemented in Firefox, Chrome, and Opera.

More information is available in #18230 and on MDN: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

This doesn't apply to the dynamically-generated per-page JavaScript due to a bug in sprockets-rails (https://github.com/rails/sprockets-rails/issues/359).
---
 app/views/layouts/_head.html.haml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/views/layouts/_head.html.haml b/app/views/layouts/_head.html.haml
index e0ed657919e..be29ed532ee 100644
--- a/app/views/layouts/_head.html.haml
+++ b/app/views/layouts/_head.html.haml
@@ -25,10 +25,10 @@
 
   = favicon_link_tag 'favicon.ico'
 
-  = stylesheet_link_tag "application", media: "all"
-  = stylesheet_link_tag "print",       media: "print"
+  = stylesheet_link_tag "application", media: "all", integrity: true
+  = stylesheet_link_tag "print",       media: "print", integrity: true
 
-  = javascript_include_tag "application"
+  = javascript_include_tag "application", integrity: true
 
   - if page_specific_javascripts
     = javascript_include_tag page_specific_javascripts, {"data-turbolinks-track" => true}