diff options
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | app/views/layouts/_head.html.haml | 9 |
2 files changed, 7 insertions, 3 deletions
diff --git a/CHANGELOG b/CHANGELOG index 7179cd13e11..76d9712ce9f 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -3,6 +3,7 @@ Please view this file on the master branch, on stable branches it's out of date. v 8.10.0 (unreleased) - Wrap code blocks on Activies and Todos page. !4783 (winniehell) - Fix MR-auto-close text added to description. !4836 + - Implement Subresource Integrity for CSS and JavaScript assets. This prevents malicious assets from loading in the case of a CDN compromise. v 8.9.0 - Fix builds API response not including commit data diff --git a/app/views/layouts/_head.html.haml b/app/views/layouts/_head.html.haml index e0ed657919e..d5965a6ec99 100644 --- a/app/views/layouts/_head.html.haml +++ b/app/views/layouts/_head.html.haml @@ -25,11 +25,14 @@ = favicon_link_tag 'favicon.ico' - = stylesheet_link_tag "application", media: "all" - = stylesheet_link_tag "print", media: "print" + = stylesheet_link_tag "application", media: "all", integrity: true + = stylesheet_link_tag "print", media: "print", integrity: true - = javascript_include_tag "application" + = javascript_include_tag "application", integrity: true + -# FIXME: SRI doesn't apply to the dynamically-generated per-page + -# JavaScript due to a bug in sprockets-rails. + -# See https://github.com/rails/sprockets-rails/issues/359 - if page_specific_javascripts = javascript_include_tag page_specific_javascripts, {"data-turbolinks-track" => true} |