From b9b2d320a3a64503d275d74575f435ac2f94c71e Mon Sep 17 00:00:00 2001
From: Murray Steele <muz@h-lame.com>
Date: Wed, 17 May 2017 11:55:45 +0000
Subject: [PATCH 1/3] Upgrade to sprockets-rails 3.2

We want a version that targets sprockets 3 and also provides support for
calculating sub-resource integrity (SRI) attributes on linked assets.
---
 Gemfile      |  2 +-
 Gemfile.lock | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/Gemfile b/Gemfile
index 314d698ea4..136244034c 100644
--- a/Gemfile
+++ b/Gemfile
@@ -18,7 +18,7 @@ gem 'rails-i18n', '~> 4.0.0'
 gem 'sass', '~> 3.4.0'
 gem 'sass-rails'
 gem 'slimmer', '~> 10.1.3'
-gem 'sprockets-rails', "~> 2.3.0" # version 3.2 available, but breaks a test.
+gem 'sprockets-rails', "~> 3.2.0"
 gem 'shared_mustache', '~> 1.0.0'
 gem 'statsd-ruby', '1.3.0', require: 'statsd'
 gem "therubyracer", "~> 0.12.0"
diff --git a/Gemfile.lock b/Gemfile.lock
index 7de9c98e24..d9392e6ce6 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -258,10 +258,10 @@ GEM
     sprockets (3.7.1)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
-    sprockets-rails (2.3.3)
-      actionpack (>= 3.0)
-      activesupport (>= 3.0)
-      sprockets (>= 2.8, < 4.0)
+    sprockets-rails (3.2.0)
+      actionpack (>= 4.0)
+      activesupport (>= 4.0)
+      sprockets (>= 3.0.0)
     statsd-ruby (1.3.0)
     test-unit (3.2.3)
       power_assert
@@ -335,7 +335,7 @@ DEPENDENCIES
   simplecov
   simplecov-rcov
   slimmer (~> 10.1.3)
-  sprockets-rails (~> 2.3.0)
+  sprockets-rails (~> 3.2.0)
   statsd-ruby (= 1.3.0)
   therubyracer (~> 0.12.0)
   timecop

From d53468fe47c509b0799eb8ce26137a6d67594109 Mon Sep 17 00:00:00 2001
From: Murray Steele <muz@h-lame.com>
Date: Wed, 17 May 2017 14:01:27 +0000
Subject: [PATCH 2/3] Add SRI attributes to javascript and stylesheets

We rely on sprockets-rails to do the heavy lifting for us here and
calculate the integrity sha for these assets.  We also add th ecrossorigin
attribute set to 'anonymous' because our assets are served from a
different domain to the main application (assets.publishing.service.gov.uk
vs www.gov.uk in most cases) and so to avoid dealing with CORS we tell the
browser to not send CORS headers with the request for the asset.
---
 app/views/help/tour.html.erb           | 2 +-
 app/views/layouts/application.html.erb | 4 ++--
 app/views/travel_advice/index.html.erb | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/views/help/tour.html.erb b/app/views/help/tour.html.erb
index 2be2287dce..a00db01d6c 100644
--- a/app/views/help/tour.html.erb
+++ b/app/views/help/tour.html.erb
@@ -145,5 +145,5 @@
 <% content_for :body_classes do %>full-width<% end %>
 
 <% content_for :extra_javascript do %>
-  <%= javascript_include_tag 'tour.js', :defer => 'defer' %>
+  <%= javascript_include_tag 'tour.js', :defer => 'defer', integrity: true, crossorigin: 'anonymous' %>
 <% end %>
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
index 042c599839..c27b3f749c 100644
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -7,11 +7,11 @@
 
     <link title="Search" rel="search" type="application/opensearchdescription+xml" href="/search/opensearch.xml"/>
 
-    <!--[if gt IE 8]><!--><%= stylesheet_link_tag "application.css" %><!--<![endif]-->
+    <!--[if gt IE 8]><!--><%= stylesheet_link_tag "application.css", integrity: true, crossorigin: 'anonymous' %><!--<![endif]-->
     <!--[if IE 6]><%= stylesheet_link_tag "application-ie6.css" %><![endif]-->
     <!--[if IE 7]><%= stylesheet_link_tag "application-ie7.css" %><![endif]-->
     <!--[if IE 8]><%= stylesheet_link_tag "application-ie8.css" %><![endif]-->
-    <%= javascript_include_tag 'frontend.js' %>
+    <%= javascript_include_tag 'frontend.js', integrity: true, crossorigin: 'anonymous' %>
     <%= yield :extra_javascript %>
     <%= yield :extra_headers %>
     <% if @content_item %>
diff --git a/app/views/travel_advice/index.html.erb b/app/views/travel_advice/index.html.erb
index 0299c6b50a..8b6a6b8a77 100644
--- a/app/views/travel_advice/index.html.erb
+++ b/app/views/travel_advice/index.html.erb
@@ -1,5 +1,5 @@
 <% content_for :extra_headers do %>
-  <%= javascript_include_tag "views/travel-advice.js" %>
+  <%= javascript_include_tag "views/travel-advice.js", integrity: true, crossorigin: 'anonymous' %>
   <%= auto_discovery_link_tag :atom, travel_advice_path(:format => :atom), :title => "Recent updates" %>
 <% end %>
 

From efa6395848873b0e2d24f73f9418b867194429b4 Mon Sep 17 00:00:00 2001
From: Murray Steele <muz@h-lame.com>
Date: Wed, 17 May 2017 16:13:03 +0000
Subject: [PATCH 3/3] Use new 1.0.1 version of shared_mustache

This brings with it sprockets-rails 3.x compatibility by adding hogan.js
to assets.precompile.  This may only be a problem on development as we
only make the render_mustache call in that rails env.
---
 Gemfile.lock | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index d9392e6ce6..9bd5c33ee9 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -141,7 +141,7 @@ GEM
     mocha (1.2.1)
       metaclass (~> 0.0.1)
     multi_json (1.12.1)
-    mustache (1.0.3)
+    mustache (1.0.5)
     netrc (0.11.0)
     nokogiri (1.6.8.1)
       mini_portile2 (~> 2.1.0)
@@ -235,7 +235,7 @@ GEM
     scss_lint (0.51.0)
       rake (>= 0.9, < 13)
       sass (~> 3.4.20)
-    shared_mustache (1.0.0)
+    shared_mustache (1.0.1)
       execjs (>= 1.2.4)
       mustache (~> 1.0.2)
     shoulda-context (1.2.2)