Merge branch 'sri' into 'master'

Add Subresource Integrity attribute to CSS and JS assets.

This prevents compromised or malicious CDNs from modifying GitLab's assets. The hash provided by Rails is compared to the hash of the asset the browser has downloaded. The browser will refuse to execute/parse the assets if the hashes don't match. SRI is currently implemented in Firefox, Chrome, and Opera.

This doesn't apply to the dynamically-generated per-page JavaScript due to [a bug in sprockets-rails](https://github.com/rails/sprockets-rails/issues/359). Unfortunately until there's a fix available we won't benefit fully from a security perspective.

It's more secure. More information is available in #18230 and on MDN:
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

Fixes #18230

See merge request !4808

0 files changed, 0 insertions, 0 deletions