kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Add Subresource Integrity attribute to CSS and JS assets.

Browse source 
This prevents compromised or malicious CDNs from modifying assets. The hash provided by Rails is compared to the hash of the asset the browser has downloaded. The browser will refuse to execute/parse the assets if the hashes don't match. SRI is currently implemented in Firefox, Chrome, and Opera.

More information is available in #18230 and on MDN: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

This doesn't apply to the dynamically-generated per-page JavaScript due to a bug in sprockets-rails (https://github.com/rails/sprockets-rails/issues/359).
This commit is contained in:
Connor Shea 2016-06-20 13:38:17 -06:00
parent cef021917f
commit 97ec04ac9b
No known key found for this signature in database
GPG key ID: E52237E5B35A83E6
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
app/views/layouts/_head.html.haml
View file

@ -25,10 +25,10 @@
= favicon_link_tag 'favicon.ico'
= stylesheet_link_tag "application", media: "all"
= stylesheet_link_tag "print", media: "print"
= stylesheet_link_tag "application", media: "all", integrity: true
= stylesheet_link_tag "print", media: "print", integrity: true
= javascript_include_tag "application"
= javascript_include_tag "application", integrity: true
- if page_specific_javascripts
= javascript_include_tag page_specific_javascripts, {"data-turbolinks-track" => true}