From 560f83ce88097d43e00d1b6cdefbf85906a97583 Mon Sep 17 00:00:00 2001
From: jomo <github@jomo.tv>
Date: Thu, 3 Dec 2015 23:07:46 +0100
Subject: [PATCH] use Subresource Integrity for externally hosted javascript

browsers will calculate the sha256 hash of the script and compare it to the value of the integrity attribute
if the values do not match, the browser will refuse to execute it.

note: the shasum is written in base64 encoding, not the (more common) hex format!
---
 app/views/layouts/application.html.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
index 2839b9c..0b91a6a 100644
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -7,7 +7,7 @@
   <%= stylesheet_link_tag "application", :media => "all" %>
   <%= csrf_meta_tags %>
   <%= favicon_link_tag "favicon.ico" %>
-  <%= javascript_include_tag "https://cdn.rawgit.com/jomo/ago.js/master/ago.min.js" %>
+  <%= javascript_include_tag "https://cdn.rawgit.com/jomo/ago.js/master/ago.min.js", crossorigin: :anonymous, integrity: "sha256-xw0JUUdbuZQCVO+QScoxrlEsD4nZGCjMRh9PP8GLhcY=" %>
   <%= javascript_include_tag "application" %>
   <link type="application/atom+xml" rel="alternate" href="<%= blogposts_path(:atom) %>">
   <%= yield(:site_headers) %>