Add subresource integrity for JS and CSS assets (#15096)

Fix #2744

Add subresource integrity for JS and CSS assets (#15096)
9b1f2a4b · Eugen Rochko · GitHub · 68d4b2b8 · 9b1f2a4b · 9b1f2a4b
Unverified Commit 9b1f2a4b authored 4 years ago by Eugen Rochko Committed by GitHub 4 years ago
--- a/app/views/about/more.html.haml
+++ b/app/views/about/more.html.haml
@@ -2,7 +2,7 @@
  = site_hostname

 - content_for :header_tags do
-  = javascript_pack_tag 'public', integrity: true, crossorigin: 'anonymous'
+  = javascript_pack_tag 'public', crossorigin: 'anonymous'
  = render partial: 'shared/og'

 .grid-4

--- a/app/views/admin/action_logs/index.html.haml
+++ b/app/views/admin/action_logs/index.html.haml
@@ -2,7 +2,7 @@
  = t('admin.action_logs.title')

 - content_for :header_tags do
-  = javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
+  = javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'

 = form_tag admin_action_logs_url, method: 'GET', class: 'simple_form' do
  = hidden_field_tag :target_account_id, params[:target_account_id] if params[:target_account_id].present?

--- a/app/views/admin/custom_emojis/index.html.haml
+++ b/app/views/admin/custom_emojis/index.html.haml
@@ -2,7 +2,7 @@
  = t('admin.custom_emojis.title')

 - content_for :header_tags do
-  = javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
+  = javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'

 - if can?(:create, :custom_emoji)
  - content_for :heading_actions do

--- a/app/views/admin/domain_allows/new.html.haml
+++ b/app/views/admin/domain_allows/new.html.haml
 - content_for :header_tags do
-  = javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
+  = javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'

 - content_for :page_title do
  = t('admin.domain_allows.add_new')

--- a/app/views/admin/domain_blocks/edit.html.haml
+++ b/app/views/admin/domain_blocks/edit.html.haml
 - content_for :header_tags do
-  = javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
+  = javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'

 - content_for :page_title do
  = t('admin.domain_blocks.edit')

--- a/app/views/admin/domain_blocks/new.html.haml
+++ b/app/views/admin/domain_blocks/new.html.haml
 - content_for :header_tags do
-  = javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
+  = javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'

 - content_for :page_title do
  = t('.title')

--- a/app/views/admin/ip_blocks/index.html.haml
+++ b/app/views/admin/ip_blocks/index.html.haml
@@ -2,7 +2,7 @@
  = t('admin.ip_blocks.title')

 - content_for :header_tags do
-  = javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
+  = javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'

 - if can?(:create, :ip_block)
  - content_for :heading_actions do

--- a/app/views/admin/pending_accounts/index.html.haml
+++ b/app/views/admin/pending_accounts/index.html.haml
@@ -2,7 +2,7 @@
  = t('admin.pending_accounts.title', count: User.pending.count)

 - content_for :header_tags do
-  = javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
+  = javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'

 = form_for(@form, url: batch_admin_pending_accounts_path) do |f|
  = hidden_field_tag :page, params[:page] || 1

--- a/app/views/admin/reports/show.html.haml
+++ b/app/views/admin/reports/show.html.haml
 - content_for :header_tags do
-  = javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
+  = javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'

 - content_for :page_title do
  = t('admin.reports.report', id: @report.id)

--- a/app/views/admin/settings/edit.html.haml
+++ b/app/views/admin/settings/edit.html.haml
 - content_for :header_tags do
-  = javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
+  = javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'

 - content_for :page_title do
  = t('admin.settings.title')

--- a/app/views/admin/statuses/index.html.haml
+++ b/app/views/admin/statuses/index.html.haml
 - content_for :header_tags do
-  = javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
+  = javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'

 - content_for :page_title do
  = t('admin.statuses.title')

--- a/app/views/admin/tags/index.html.haml
+++ b/app/views/admin/tags/index.html.haml
@@ -2,7 +2,7 @@
  = t('admin.tags.title')

 - content_for :header_tags do
-  = javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
+  = javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'

 .filters
  .filter-subset

--- a/app/views/auth/sessions/two_factor.html.haml
+++ b/app/views/auth/sessions/two_factor.html.haml
 - content_for :page_title do
  = t('auth.login')

-=javascript_pack_tag 'two_factor_authentication', integrity: true, crossorigin: 'anonymous'
+=javascript_pack_tag 'two_factor_authentication', crossorigin: 'anonymous'

 - if @webauthn_enabled
  = render partial: 'auth/sessions/two_factor/webauthn_form', locals: { hidden: @scheme_type != 'webauthn' }

--- a/app/views/home/index.html.haml
+++ b/app/views/home/index.html.haml
 - content_for :header_tags do
-  = preload_link_tag asset_pack_path('features/getting_started.js'), crossorigin: 'anonymous'
-  = preload_link_tag asset_pack_path('features/compose.js'), crossorigin: 'anonymous'
-  = preload_link_tag asset_pack_path('features/home_timeline.js'), crossorigin: 'anonymous'
-  = preload_link_tag asset_pack_path('features/notifications.js'), crossorigin: 'anonymous'
+  = preload_pack_asset 'features/getting_started.js', crossorigin: 'anonymous'
+  = preload_pack_asset 'features/compose.js', crossorigin: 'anonymous'
+  = preload_pack_asset 'features/home_timeline.js', crossorigin: 'anonymous'
+  = preload_pack_asset 'features/notifications.js', crossorigin: 'anonymous'

  %meta{name: 'applicationServerKey', content: Rails.configuration.x.vapid_public_key}
  = render_initial_state
-  = javascript_pack_tag 'application', integrity: true, crossorigin: 'anonymous'
+  = javascript_pack_tag 'application', crossorigin: 'anonymous'

 .app-holder#mastodon{ data: { props: Oj.dump(default_props) } }
  %noscript

--- a/app/views/layouts/admin.html.haml
+++ b/app/views/layouts/admin.html.haml
 - content_for :header_tags do
  = render_initial_state
-  = javascript_pack_tag 'public', integrity: true, crossorigin: 'anonymous'
+  = javascript_pack_tag 'public', crossorigin: 'anonymous'

 - content_for :content do
  .admin-wrapper

--- a/app/views/layouts/application.html.haml
+++ b/app/views/layouts/application.html.haml
@@ -21,10 +21,10 @@

    %title= content_for?(:page_title) ? safe_join([yield(:page_title).chomp.html_safe, title], ' - ') : title

-    = stylesheet_pack_tag 'common', media: 'all'
-    = stylesheet_pack_tag current_theme, media: 'all'
-    = javascript_pack_tag 'common', integrity: true, crossorigin: 'anonymous'
-    = javascript_pack_tag "locale_#{I18n.locale}", integrity: true, crossorigin: 'anonymous'
+    = stylesheet_pack_tag 'common', media: 'all', crossorigin: 'anonymous'
+    = stylesheet_pack_tag current_theme, media: 'all', crossorigin: 'anonymous'
+    = javascript_pack_tag 'common', crossorigin: 'anonymous'
+    = javascript_pack_tag "locale_#{I18n.locale}", crossorigin: 'anonymous'
    = csrf_meta_tags
    %meta{ name: 'style-nonce', content: request.content_security_policy_nonce }


--- a/app/views/layouts/auth.html.haml
+++ b/app/views/layouts/auth.html.haml
 - content_for :header_tags do
-  = javascript_pack_tag 'public', integrity: true, crossorigin: 'anonymous'
+  = javascript_pack_tag 'public', crossorigin: 'anonymous'

 - content_for :content do
  .container-alt

--- a/app/views/layouts/embedded.html.haml
+++ b/app/views/layouts/embedded.html.haml
@@ -11,8 +11,8 @@
    - if storage_host?
      %link{ rel: 'dns-prefetch', href: storage_host }/

-    = stylesheet_pack_tag 'common', media: 'all'
-    = stylesheet_pack_tag Setting.default_settings['theme'], media: 'all'
+    = stylesheet_pack_tag 'common', media: 'all', crossorigin: 'anonymous'
+    = stylesheet_pack_tag Setting.default_settings['theme'], media: 'all', crossorigin: 'anonymous'
    = javascript_pack_tag 'common', integrity: true, crossorigin: 'anonymous'
    = javascript_pack_tag "locale_#{I18n.locale}", integrity: true, crossorigin: 'anonymous'
    = render_initial_state

--- a/app/views/layouts/error.html.haml
+++ b/app/views/layouts/error.html.haml
@@ -5,10 +5,10 @@
    %meta{ charset: 'utf-8' }/
    %title= safe_join([yield(:page_title), Setting.default_settings['site_title']], ' - ')
    %meta{ content: 'width=device-width,initial-scale=1', name: 'viewport' }/
-    = stylesheet_pack_tag 'common', media: 'all'
-    = stylesheet_pack_tag Setting.default_settings['theme'], media: 'all'
-    = javascript_pack_tag 'common', integrity: true, crossorigin: 'anonymous'
-    = javascript_pack_tag 'error', integrity: true, crossorigin: 'anonymous'
+    = stylesheet_pack_tag 'common', media: 'all', crossorigin: 'anonymous'
+    = stylesheet_pack_tag Setting.default_settings['theme'], media: 'all', crossorigin: 'anonymous'
+    = javascript_pack_tag 'common', crossorigin: 'anonymous'
+    = javascript_pack_tag 'error', crossorigin: 'anonymous'
  %body.error
    .dialog
      .dialog__illustration

--- a/app/views/layouts/modal.html.haml
+++ b/app/views/layouts/modal.html.haml
 - content_for :header_tags do
-  = javascript_pack_tag 'public', integrity: true, crossorigin: 'anonymous'
+  = javascript_pack_tag 'public', crossorigin: 'anonymous'

 - content_for :content do
  - if user_signed_in? && !@hide_header