Add Subresource Integrity attribute to CSS and JS assets.
What does this MR do?
This prevents compromised or malicious CDNs from modifying GitLab's assets. The hash provided by Rails is compared to the hash of the asset the browser has downloaded. The browser will refuse to execute/parse the assets if the hashes don't match. SRI is currently implemented in Firefox, Chrome, and Opera.
This doesn't apply to the dynamically-generated per-page JavaScript due to a bug in sprockets-rails. Unfortunately until there's a fix available we won't benefit fully from a security perspective.
Are there points in the code the reviewer needs to double check?
NOTE: Sprockets' implementation of SRI requires an HTTPS connection. In order to test that this is working in the dev environment, you need to have your GDK set up to use HTTPS locally.
Why was this MR needed?
It's more secure. More information is available in #18230 (moved) and on MDN: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
CHANGELOG entry added -
Documentation created/updated -
API support added -
Tests -
Added for this feature/bug -
All builds are passing
-
-
Conform by the style guides -
Branch has no merge conflicts with master(if you do - rebase it please) -
Squashed related commits together