-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DO NOT MERGE] Adds SRI to js and css files #1008
Conversation
6201376
to
1d38ad4
Compare
d3d1280
to
43633c2
Compare
6579878
to
6c20399
Compare
This will add security checks to verify that the content being served on GOV.UK hasn't been modified by third parties: - upgrades `sprockets-rails` to version 3.2.0 so that we can use the SRI check feature - adds `integrity: true` to `javascript_include_tag` and `stylesheet_link_tag` Explicitly setting `config.assets.digest` to `false`, since the default value is set to `true` in sprockets-rails 3.0: rails/sprockets-rails@3cb84ea How to test ----------- Either set `config.assets.debug = false` in config/environments/development.rb or run the application in production mode. This is because sprockets-rails checks for this flag when deciding if it should calculate the integrity attribute: https://github.com/rails/sprockets-rails/blob/10bc1bd096b39a3dd632571dd517788314657056/lib/sprockets/rails/helper.rb#L168
Once govuk_template has been upgraded to v0.21.0 it will use a new batch of icons. The old ones no longer exist, and have been removed from the routes + tests. See alphagov/govuk_template@82d9459 for the changes done to icons in govuk_template.
The CI failures here are because we need the fix in alphagov/govuk_template#305 to be released (see: alphagov/govuk_template#307) |
Note that this is on hold while we investigate a firefox issue with SRI (see alphagov/government-frontend#368) |
See alphagov/govuk_template#308 and alphagov/govuk_template#301 for discussion on impact. We're holding off on SRI until there are fewer users using the version of Firefox that has an issue with calculating SRI. |
Should we close this for now? |
Closing while SRI is on hold. |
Trello card
This will add security checks to verify that the content being served on GOV.UK hasn't been modified by third parties:
sprockets-rails
to version 3.2.0 so that we can use the SRI check featureintegrity: true
tojavascript_include_tag
andstylesheet_link_tag
Explicitly setting
config.assets.digest
tofalse
, as the default value is set totrue
since sprockets-rails 3.0: rails/sprockets-rails@3cb84eaDepends on:
In order to use SRI, the browser expects CORS to be supported. This is why we need to add
crossorigin: true
alongsideintegrity: true
. See more here