Merge branch 'sri' into 'master'

Add Subresource Integrity attribute to CSS and JS assets. This prevents compromised or malicious CDNs from modifying GitLab's assets. The hash provided by Rails is compared to the hash of the asset the browser has downloaded. The browser will refuse to execute/parse the assets if the hashes don't match. SRI is currently implemented in Firefox, Chrome, and Opera. This doesn't apply to the dynamically-generated per-page JavaScript due to [a bug in sprockets-rails](https://github.com/rails/sprockets-rails/issues/359). Unfortunately until there's a fix available we won't benefit fully from a security perspective. It's more secure. More information is available in #18230 and on MDN: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity Fixes #18230 See merge request !4808

Merge branch 'sri' into 'master'
Add Subresource Integrity attribute to CSS and JS assets. This prevents compromised or malicious CDNs from modifying GitLab's assets. The hash provided by Rails is compared to the hash of the asset the browser has downloaded. The browser will refuse to execute/parse the assets if the hashes don't match. SRI is currently implemented in Firefox, Chrome, and Opera. This doesn't apply to the dynamically-generated per-page JavaScript due to [a bug in sprockets-rails](https://github.com/rails/sprockets-rails/issues/359). Unfortunately until there's a fix available we won't benefit fully from a security perspective. It's more secure. More information is available in #18230 and on MDN: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity Fixes #18230 See merge request !4808
33fa50b1 · Robert Speicher · cef02191 · bba1d2de · 33fa50b1 · 33fa50b1
Commit 33fa50b1 authored Jun 22, 2016 by Robert Speicher
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 3 deletions

CHANGELOG CHANGELOG +1 -0

app/views/layouts/_head.html.haml app/views/layouts/_head.html.haml +6 -3

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -3,6 +3,7 @@ Please view this file on the master branch, on stable branches it's out of date.
 v 8.10.0 (unreleased)
  - Wrap code blocks on Activies and Todos page. !4783 (winniehell)
  - Fix MR-auto-close text added to description. !4836
+  - Implement Subresource Integrity for CSS and JavaScript assets. This prevents malicious assets from loading in the case of a CDN compromise.

 v 8.9.0
  - Fix builds API response not including commit data

--- a/app/views/layouts/_head.html.haml
+++ b/app/views/layouts/_head.html.haml
@@ -25,11 +25,14 @@

  = favicon_link_tag 'favicon.ico'

-  = stylesheet_link_tag "application", media: "all"
-  = stylesheet_link_tag "print",       media: "print"
+  = stylesheet_link_tag "application", media: "all", integrity: true
+  = stylesheet_link_tag "print",       media: "print", integrity: true

-  = javascript_include_tag "application"
+  = javascript_include_tag "application", integrity: true

+  -# FIXME: SRI doesn't apply to the dynamically-generated per-page
+  -# JavaScript due to a bug in sprockets-rails.
+  -# See https://github.com/rails/sprockets-rails/issues/359
  - if page_specific_javascripts
    = javascript_include_tag page_specific_javascripts, {"data-turbolinks-track" => true}