closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
Browse Source

Add subresource integrity for JS and CSS assets (#15096) 

Fix #2744
master
Eugen Rochko 4 years ago
committed by GitHub
parent
68d4b2b83e
commit
9b1f2a4b61
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
31 changed files with 79 additions and 39 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +1
    -1
      app/views/about/more.html.haml
  2. +1
    -1
      app/views/admin/action_logs/index.html.haml
  3. +1
    -1
      app/views/admin/custom_emojis/index.html.haml
  4. +1
    -1
      app/views/admin/domain_allows/new.html.haml
  5. +1
    -1
      app/views/admin/domain_blocks/edit.html.haml
  6. +1
    -1
      app/views/admin/domain_blocks/new.html.haml
  7. +1
    -1
      app/views/admin/ip_blocks/index.html.haml
  8. +1
    -1
      app/views/admin/pending_accounts/index.html.haml
  9. +1
    -1
      app/views/admin/reports/show.html.haml
  10. +1
    -1
      app/views/admin/settings/edit.html.haml
  11. +1
    -1
      app/views/admin/statuses/index.html.haml
  12. +1
    -1
      app/views/admin/tags/index.html.haml
  13. +1
    -1
      app/views/auth/sessions/two_factor.html.haml
  14. +5
    -5
      app/views/home/index.html.haml
  15. +1
    -1
      app/views/layouts/admin.html.haml
  16. +4
    -4
      app/views/layouts/application.html.haml
  17. +1
    -1
      app/views/layouts/auth.html.haml
  18. +2
    -2
      app/views/layouts/embedded.html.haml
  19. +4
    -4
      app/views/layouts/error.html.haml
  20. +1
    -1
      app/views/layouts/modal.html.haml
  21. +1
    -1
      app/views/layouts/public.html.haml
  22. +1
    -1
      app/views/media/player.html.haml
  23. +1
    -1
      app/views/public_timelines/show.html.haml
  24. +1
    -1
      app/views/relationships/show.html.haml
  25. +1
    -1
      app/views/settings/two_factor_authentication/webauthn_credentials/new.html.haml
  26. +1
    -1
      app/views/shares/show.html.haml
  27. +1
    -1
      app/views/tags/show.html.haml
  28. +2
    -0
      config/application.rb
  29. +2
    -1
      config/webpack/shared.js
  30. +20
    -0
      lib/webpacker/helper_extensions.rb
  31. +17
    -0
      lib/webpacker/manifest_extensions.rb

+ 1
- 1
app/views/about/more.html.haml View File

@ -2,7 +2,7 @@
= site_hostname = site_hostname
- content_for :header_tags do - content_for :header_tags do
= javascript_pack_tag 'public', integrity: true, crossorigin: 'anonymous'
= javascript_pack_tag 'public', crossorigin: 'anonymous'
= render partial: 'shared/og' = render partial: 'shared/og'
.grid-4 .grid-4

+ 1
- 1
app/views/admin/action_logs/index.html.haml View File

@ -2,7 +2,7 @@
= t('admin.action_logs.title') = t('admin.action_logs.title')
- content_for :header_tags do - content_for :header_tags do
= javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
= javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'
= form_tag admin_action_logs_url, method: 'GET', class: 'simple_form' do = form_tag admin_action_logs_url, method: 'GET', class: 'simple_form' do
= hidden_field_tag :target_account_id, params[:target_account_id] if params[:target_account_id].present? = hidden_field_tag :target_account_id, params[:target_account_id] if params[:target_account_id].present?

+ 1
- 1
app/views/admin/custom_emojis/index.html.haml View File

@ -2,7 +2,7 @@
= t('admin.custom_emojis.title') = t('admin.custom_emojis.title')
- content_for :header_tags do - content_for :header_tags do
= javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
= javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'
- if can?(:create, :custom_emoji) - if can?(:create, :custom_emoji)
- content_for :heading_actions do - content_for :heading_actions do

+ 1
- 1
app/views/admin/domain_allows/new.html.haml View File

@ -1,5 +1,5 @@
- content_for :header_tags do - content_for :header_tags do
= javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
= javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'
- content_for :page_title do - content_for :page_title do
= t('admin.domain_allows.add_new') = t('admin.domain_allows.add_new')

+ 1
- 1
app/views/admin/domain_blocks/edit.html.haml View File

@ -1,5 +1,5 @@
- content_for :header_tags do - content_for :header_tags do
= javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
= javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'
- content_for :page_title do - content_for :page_title do
= t('admin.domain_blocks.edit') = t('admin.domain_blocks.edit')

+ 1
- 1
app/views/admin/domain_blocks/new.html.haml View File

@ -1,5 +1,5 @@
- content_for :header_tags do - content_for :header_tags do
= javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
= javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'
- content_for :page_title do - content_for :page_title do
= t('.title') = t('.title')

+ 1
- 1
app/views/admin/ip_blocks/index.html.haml View File

@ -2,7 +2,7 @@
= t('admin.ip_blocks.title') = t('admin.ip_blocks.title')
- content_for :header_tags do - content_for :header_tags do
= javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
= javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'
- if can?(:create, :ip_block) - if can?(:create, :ip_block)
- content_for :heading_actions do - content_for :heading_actions do

+ 1
- 1
app/views/admin/pending_accounts/index.html.haml View File

@ -2,7 +2,7 @@
= t('admin.pending_accounts.title', count: User.pending.count) = t('admin.pending_accounts.title', count: User.pending.count)
- content_for :header_tags do - content_for :header_tags do
= javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
= javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'
= form_for(@form, url: batch_admin_pending_accounts_path) do |f| = form_for(@form, url: batch_admin_pending_accounts_path) do |f|
= hidden_field_tag :page, params[:page] || 1 = hidden_field_tag :page, params[:page] || 1

+ 1
- 1
app/views/admin/reports/show.html.haml View File

@ -1,5 +1,5 @@
- content_for :header_tags do - content_for :header_tags do
= javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
= javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'
- content_for :page_title do - content_for :page_title do
= t('admin.reports.report', id: @report.id) = t('admin.reports.report', id: @report.id)

+ 1
- 1
app/views/admin/settings/edit.html.haml View File

@ -1,5 +1,5 @@
- content_for :header_tags do - content_for :header_tags do
= javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
= javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'
- content_for :page_title do - content_for :page_title do
= t('admin.settings.title') = t('admin.settings.title')

+ 1
- 1
app/views/admin/statuses/index.html.haml View File

@ -1,5 +1,5 @@
- content_for :header_tags do - content_for :header_tags do
= javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
= javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'
- content_for :page_title do - content_for :page_title do
= t('admin.statuses.title') = t('admin.statuses.title')

+ 1
- 1
app/views/admin/tags/index.html.haml View File

@ -2,7 +2,7 @@
= t('admin.tags.title') = t('admin.tags.title')
- content_for :header_tags do - content_for :header_tags do
= javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
= javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'
.filters .filters
.filter-subset .filter-subset

+ 1
- 1
app/views/auth/sessions/two_factor.html.haml View File

@ -1,7 +1,7 @@
- content_for :page_title do - content_for :page_title do
= t('auth.login') = t('auth.login')
=javascript_pack_tag 'two_factor_authentication', integrity: true, crossorigin: 'anonymous'
=javascript_pack_tag 'two_factor_authentication', crossorigin: 'anonymous'
- if @webauthn_enabled - if @webauthn_enabled
= render partial: 'auth/sessions/two_factor/webauthn_form', locals: { hidden: @scheme_type != 'webauthn' } = render partial: 'auth/sessions/two_factor/webauthn_form', locals: { hidden: @scheme_type != 'webauthn' }

+ 5
- 5
app/views/home/index.html.haml View File

@ -1,12 +1,12 @@
- content_for :header_tags do - content_for :header_tags do
= preload_link_tag asset_pack_path('features/getting_started.js'), crossorigin: 'anonymous'
= preload_link_tag asset_pack_path('features/compose.js'), crossorigin: 'anonymous'
= preload_link_tag asset_pack_path('features/home_timeline.js'), crossorigin: 'anonymous'
= preload_link_tag asset_pack_path('features/notifications.js'), crossorigin: 'anonymous'
= preload_pack_asset 'features/getting_started.js', crossorigin: 'anonymous'
= preload_pack_asset 'features/compose.js', crossorigin: 'anonymous'
= preload_pack_asset 'features/home_timeline.js', crossorigin: 'anonymous'
= preload_pack_asset 'features/notifications.js', crossorigin: 'anonymous'
%meta{name: 'applicationServerKey', content: Rails.configuration.x.vapid_public_key} %meta{name: 'applicationServerKey', content: Rails.configuration.x.vapid_public_key}
= render_initial_state = render_initial_state
= javascript_pack_tag 'application', integrity: true, crossorigin: 'anonymous'
= javascript_pack_tag 'application', crossorigin: 'anonymous'
.app-holder#mastodon{ data: { props: Oj.dump(default_props) } } .app-holder#mastodon{ data: { props: Oj.dump(default_props) } }
%noscript %noscript

+ 1
- 1
app/views/layouts/admin.html.haml View File

@ -1,6 +1,6 @@
- content_for :header_tags do - content_for :header_tags do
= render_initial_state = render_initial_state
= javascript_pack_tag 'public', integrity: true, crossorigin: 'anonymous'
= javascript_pack_tag 'public', crossorigin: 'anonymous'
- content_for :content do - content_for :content do
.admin-wrapper .admin-wrapper

+ 4
- 4
app/views/layouts/application.html.haml View File

@ -21,10 +21,10 @@
%title= content_for?(:page_title) ? safe_join([yield(:page_title).chomp.html_safe, title], ' - ') : title %title= content_for?(:page_title) ? safe_join([yield(:page_title).chomp.html_safe, title], ' - ') : title
= stylesheet_pack_tag 'common', media: 'all'
= stylesheet_pack_tag current_theme, media: 'all'
= javascript_pack_tag 'common', integrity: true, crossorigin: 'anonymous'
= javascript_pack_tag "locale_#{I18n.locale}", integrity: true, crossorigin: 'anonymous'
= stylesheet_pack_tag 'common', media: 'all', crossorigin: 'anonymous'
= stylesheet_pack_tag current_theme, media: 'all', crossorigin: 'anonymous'
= javascript_pack_tag 'common', crossorigin: 'anonymous'
= javascript_pack_tag "locale_#{I18n.locale}", crossorigin: 'anonymous'
= csrf_meta_tags = csrf_meta_tags
%meta{ name: 'style-nonce', content: request.content_security_policy_nonce } %meta{ name: 'style-nonce', content: request.content_security_policy_nonce }

+ 1
- 1
app/views/layouts/auth.html.haml View File

@ -1,5 +1,5 @@
- content_for :header_tags do - content_for :header_tags do
= javascript_pack_tag 'public', integrity: true, crossorigin: 'anonymous'
= javascript_pack_tag 'public', crossorigin: 'anonymous'
- content_for :content do - content_for :content do
.container-alt .container-alt

+ 2
- 2
app/views/layouts/embedded.html.haml View File

@ -11,8 +11,8 @@
- if storage_host? - if storage_host?
%link{ rel: 'dns-prefetch', href: storage_host }/ %link{ rel: 'dns-prefetch', href: storage_host }/
= stylesheet_pack_tag 'common', media: 'all'
= stylesheet_pack_tag Setting.default_settings['theme'], media: 'all'
= stylesheet_pack_tag 'common', media: 'all', crossorigin: 'anonymous'
= stylesheet_pack_tag Setting.default_settings['theme'], media: 'all', crossorigin: 'anonymous'
= javascript_pack_tag 'common', integrity: true, crossorigin: 'anonymous' = javascript_pack_tag 'common', integrity: true, crossorigin: 'anonymous'
= javascript_pack_tag "locale_#{I18n.locale}", integrity: true, crossorigin: 'anonymous' = javascript_pack_tag "locale_#{I18n.locale}", integrity: true, crossorigin: 'anonymous'
= render_initial_state = render_initial_state

+ 4
- 4
app/views/layouts/error.html.haml View File

@ -5,10 +5,10 @@
%meta{ charset: 'utf-8' }/ %meta{ charset: 'utf-8' }/
%title= safe_join([yield(:page_title), Setting.default_settings['site_title']], ' - ') %title= safe_join([yield(:page_title), Setting.default_settings['site_title']], ' - ')
%meta{ content: 'width=device-width,initial-scale=1', name: 'viewport' }/ %meta{ content: 'width=device-width,initial-scale=1', name: 'viewport' }/
= stylesheet_pack_tag 'common', media: 'all'
= stylesheet_pack_tag Setting.default_settings['theme'], media: 'all'
= javascript_pack_tag 'common', integrity: true, crossorigin: 'anonymous'
= javascript_pack_tag 'error', integrity: true, crossorigin: 'anonymous'
= stylesheet_pack_tag 'common', media: 'all', crossorigin: 'anonymous'
= stylesheet_pack_tag Setting.default_settings['theme'], media: 'all', crossorigin: 'anonymous'
= javascript_pack_tag 'common', crossorigin: 'anonymous'
= javascript_pack_tag 'error', crossorigin: 'anonymous'
%body.error %body.error
.dialog .dialog
.dialog__illustration .dialog__illustration

+ 1
- 1
app/views/layouts/modal.html.haml View File

@ -1,5 +1,5 @@
- content_for :header_tags do - content_for :header_tags do
= javascript_pack_tag 'public', integrity: true, crossorigin: 'anonymous'
= javascript_pack_tag 'public', crossorigin: 'anonymous'
- content_for :content do - content_for :content do
- if user_signed_in? && !@hide_header - if user_signed_in? && !@hide_header

+ 1
- 1
app/views/layouts/public.html.haml View File

@ -1,6 +1,6 @@
- content_for :header_tags do - content_for :header_tags do
= render_initial_state = render_initial_state
= javascript_pack_tag 'public', integrity: true, crossorigin: 'anonymous'
= javascript_pack_tag 'public', crossorigin: 'anonymous'
- content_for :content do - content_for :content do
.public-layout .public-layout

+ 1
- 1
app/views/media/player.html.haml View File

@ -1,6 +1,6 @@
- content_for :header_tags do - content_for :header_tags do
= render_initial_state = render_initial_state
= javascript_pack_tag 'public', integrity: true, crossorigin: 'anonymous'
= javascript_pack_tag 'public', crossorigin: 'anonymous'
- if @media_attachment.video? - if @media_attachment.video?
= react_component :video, src: @media_attachment.file.url(:original), preview: @media_attachment.thumbnail.present? ? @media_attachment.thumbnail.url : @media_attachment.file.url(:small), blurhash: @media_attachment.blurhash, width: 670, height: 380, editable: true, detailed: true, inline: true, alt: @media_attachment.description do = react_component :video, src: @media_attachment.file.url(:original), preview: @media_attachment.thumbnail.present? ? @media_attachment.thumbnail.url : @media_attachment.file.url(:small), blurhash: @media_attachment.blurhash, width: 670, height: 380, editable: true, detailed: true, inline: true, alt: @media_attachment.description do

+ 1
- 1
app/views/public_timelines/show.html.haml View File

@ -3,7 +3,7 @@
- content_for :header_tags do - content_for :header_tags do
%meta{ name: 'robots', content: 'noindex' }/ %meta{ name: 'robots', content: 'noindex' }/
= javascript_pack_tag 'about', integrity: true, crossorigin: 'anonymous'
= javascript_pack_tag 'about', crossorigin: 'anonymous'
.page-header .page-header
%h1= t('about.see_whats_happening') %h1= t('about.see_whats_happening')

+ 1
- 1
app/views/relationships/show.html.haml View File

@ -2,7 +2,7 @@
= t('settings.relationships') = t('settings.relationships')
- content_for :header_tags do - content_for :header_tags do
= javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
= javascript_pack_tag 'admin', async: true, crossorigin: 'anonymous'
.filters .filters
.filter-subset .filter-subset

+ 1
- 1
app/views/settings/two_factor_authentication/webauthn_credentials/new.html.haml View File

@ -13,4 +13,4 @@
.actions .actions
= f.button :button, t('webauthn_credentials.add'), class: 'js-webauthn', type: :submit = f.button :button, t('webauthn_credentials.add'), class: 'js-webauthn', type: :submit
= javascript_pack_tag 'two_factor_authentication', integrity: true, crossorigin: 'anonymous'
= javascript_pack_tag 'two_factor_authentication', crossorigin: 'anonymous'

+ 1
- 1
app/views/shares/show.html.haml View File

@ -1,5 +1,5 @@
- content_for :header_tags do - content_for :header_tags do
= render_initial_state = render_initial_state
= javascript_pack_tag 'share', integrity: true, crossorigin: 'anonymous'
= javascript_pack_tag 'share', crossorigin: 'anonymous'
#mastodon-compose{ data: { props: Oj.dump(default_props) } } #mastodon-compose{ data: { props: Oj.dump(default_props) } }

+ 1
- 1
app/views/tags/show.html.haml View File

@ -5,7 +5,7 @@
%meta{ name: 'robots', content: 'noindex' }/ %meta{ name: 'robots', content: 'noindex' }/
%link{ rel: 'alternate', type: 'application/rss+xml', href: tag_url(@tag, format: 'rss') }/ %link{ rel: 'alternate', type: 'application/rss+xml', href: tag_url(@tag, format: 'rss') }/
= javascript_pack_tag 'about', integrity: true, crossorigin: 'anonymous'
= javascript_pack_tag 'about', crossorigin: 'anonymous'
= render 'og' = render 'og'
.page-header .page-header

+ 2
- 0
config/application.rb View File

@ -22,6 +22,8 @@ require_relative '../lib/mastodon/version'
require_relative '../lib/devise/two_factor_ldap_authenticatable' require_relative '../lib/devise/two_factor_ldap_authenticatable'
require_relative '../lib/devise/two_factor_pam_authenticatable' require_relative '../lib/devise/two_factor_pam_authenticatable'
require_relative '../lib/chewy/strategy/custom_sidekiq' require_relative '../lib/chewy/strategy/custom_sidekiq'
require_relative '../lib/webpacker/manifest_extensions'
require_relative '../lib/webpacker/helper_extensions'
Dotenv::Railtie.load Dotenv::Railtie.load

+ 2
- 1
config/webpack/shared.js View File

@ -79,7 +79,8 @@ module.exports = {
chunkFilename: 'css/[name]-[contenthash:8].chunk.css', chunkFilename: 'css/[name]-[contenthash:8].chunk.css',
}), }),
new AssetsManifestPlugin({ new AssetsManifestPlugin({
integrity: false,
integrity: true,
integrityHashes: ['sha256'],
entrypoints: true, entrypoints: true,
writeToDisk: true, writeToDisk: true,
publicPath: true, publicPath: true,

+ 20
- 0
lib/webpacker/helper_extensions.rb View File

@ -0,0 +1,20 @@
# frozen_string_literal: true
module Webpacker::HelperExtensions
def javascript_pack_tag(name, **options)
src, integrity = current_webpacker_instance.manifest.lookup!(name, type: :javascript, with_integrity: true)
javascript_include_tag(src, options.merge(integrity: integrity))
end
def stylesheet_pack_tag(name, **options)
src, integrity = current_webpacker_instance.manifest.lookup!(name, type: :stylesheet, with_integrity: true)
stylesheet_link_tag(src, options.merge(integrity: integrity))
end
def preload_pack_asset(name, **options)
src, integrity = current_webpacker_instance.manifest.lookup!(name, with_integrity: true)
preload_link_tag(src, options.merge(integrity: integrity))
end
end
Webpacker::Helper.prepend(Webpacker::HelperExtensions)

+ 17
- 0
lib/webpacker/manifest_extensions.rb View File

@ -0,0 +1,17 @@
# frozen_string_literal: true
module Webpacker::ManifestExtensions
def lookup(name, pack_type = {})
asset = super
if pack_type[:with_integrity] && asset.respond_to?(:dig)
[asset.dig('src'), asset.dig('integrity')]
elsif asset.respond_to?(:dig)
asset.dig('src')
else
asset
end
end
end
Webpacker::Manifest.prepend(Webpacker::ManifestExtensions)

Write Preview
Loading…
Cancel
Save