use Subresource Integrity for externally hosted javascript

browsers will calculate the sha256 hash of the script and compare it to the value of the integrity attribute if the values do not match, the browser will refuse to execute it. note: the shasum is written in base64 encoding, not the (more common) hex format!
author: jomo <github@jomo.tv> 2015-12-03 23:07:46 +0100
committer: jomo <github@jomo.tv> 2015-12-03 23:12:04 +0100
commit: 560f83ce88097d43e00d1b6cdefbf85906a97583 (patch)
tree: db8178693280cdaf8bde2c4b86b75e62cf493381
parent: e50f1fffee2305ae5ec1273ba63cd0852a9f47e3 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
index 2839b9c..0b91a6a 100644
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -7,7 +7,7 @@
   <%= stylesheet_link_tag "application", :media => "all" %>
   <%= csrf_meta_tags %>
   <%= favicon_link_tag "favicon.ico" %>
-  <%= javascript_include_tag "https://cdn.rawgit.com/jomo/ago.js/master/ago.min.js" %>
+  <%= javascript_include_tag "https://cdn.rawgit.com/jomo/ago.js/master/ago.min.js", crossorigin: :anonymous, integrity: "sha256-xw0JUUdbuZQCVO+QScoxrlEsD4nZGCjMRh9PP8GLhcY=" %>
   <%= javascript_include_tag "application" %>
   <link type="application/atom+xml" rel="alternate" href="<%= blogposts_path(:atom) %>">
   <%= yield(:site_headers) %>
author	jomo <github@jomo.tv>	2015-12-03 23:07:46 +0100
committer	jomo <github@jomo.tv>	2015-12-03 23:12:04 +0100
commit	560f83ce88097d43e00d1b6cdefbf85906a97583 (patch)
tree	db8178693280cdaf8bde2c4b86b75e62cf493381
parent	e50f1fffee2305ae5ec1273ba63cd0852a9f47e3 (diff)