summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorConnor Shea <connor.james.shea@gmail.com>2016-06-22 16:25:59 -0600
committerConnor Shea <connor.james.shea@gmail.com>2016-06-22 16:25:59 -0600
commitbba1d2de3bc76bf65b4c2ded07e94ab0d7455bfd (patch)
tree8259256c056dca42e6c6d789932ee62be208e7f5
parent97ec04ac9b923ff9eb68ce51a35150d45105adf1 (diff)
downloadgitlab-ce-bba1d2de3bc76bf65b4c2ded07e94ab0d7455bfd.tar.gz
Add clarifying comment and a Changelog entry.
-rw-r--r--CHANGELOG1
-rw-r--r--app/views/layouts/_head.html.haml3
2 files changed, 4 insertions, 0 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 7179cd13e11..76d9712ce9f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -3,6 +3,7 @@ Please view this file on the master branch, on stable branches it's out of date.
v 8.10.0 (unreleased)
- Wrap code blocks on Activies and Todos page. !4783 (winniehell)
- Fix MR-auto-close text added to description. !4836
+ - Implement Subresource Integrity for CSS and JavaScript assets. This prevents malicious assets from loading in the case of a CDN compromise.
v 8.9.0
- Fix builds API response not including commit data
diff --git a/app/views/layouts/_head.html.haml b/app/views/layouts/_head.html.haml
index be29ed532ee..d5965a6ec99 100644
--- a/app/views/layouts/_head.html.haml
+++ b/app/views/layouts/_head.html.haml
@@ -30,6 +30,9 @@
= javascript_include_tag "application", integrity: true
+ -# FIXME: SRI doesn't apply to the dynamically-generated per-page
+ -# JavaScript due to a bug in sprockets-rails.
+ -# See https://github.com/rails/sprockets-rails/issues/359
- if page_specific_javascripts
= javascript_include_tag page_specific_javascripts, {"data-turbolinks-track" => true}