layouts: Add Subresource Integrity (SRI) (#162)

data/sri.toml

@@ -0,0 +1,15 @@
+# How to update an entry:
+#
+#    echo -n "sha512-" && curl --silent "https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.0/MathJax.js?config=TeX-AMS_CHTML" | openssl dgst -sha512 -binary | openssl enc -base64 -A
+
+[js]
+    imagesLoaded = "sha512-gAY/etPYgEHDUW+GLBkxn90gKGHPlPCpRhXasGZHGx1Pk0QZw2bLRWCf1dOrY7UhHs8EV6KBSBq86206CJqrZA=="
+    tweenMax = "sha512-ANpvRsX22QqENmRQm2qUqlRVbWanJykv+Z9+me4/n4LvUNkpPmO3Qm1VB0OQn0ip2xIdmbf9kaSAxTceOHY1YQ=="
+    scrollToPlugin = "sha512-CDeU7pRtkPX6XJtF/gcFWlEwyaX7mcAp5sO3VIu/ylsdR74wEw4wmBpD5yYTrmMAiAboi9thyBUr1vXRPA7t0Q=="
+    mathJax = "sha512-n9zwl+vW+B7/eARAI6ZQWmFAOzXiaDdgU8HoCEINtjFQYZRjLKbqUQCyVWtVYN4k/DOJ+bHHguQeyKSj+eTBaw=="
+    bootstrap = "sha512-iztkobsvnjKfAtTNdHkGVjAYTrrtlC7mGp/54c40wowO7LhURYl3gVzzcEqGl/qKXQltJ2HwMrdLcNUdo+N/RQ=="
+    isotope = "sha512-VDBOIlDbuC4VWxGJNmuFRQ0Li0SKkDpmGyuhAG5LTDLd/dJ/S0WMVxriR2Y+CyPL5gzjpN4f/6iqWVBJlht0tQ=="
+    jQuery = "sha512-jGsMH83oKe9asCpkOVkBnUrDDTp8wl+adkB2D+//JtlxO4SrLoJdhbOysIFQJloQFD+C4Fl1rMsQZF76JjV0eQ=="
+
+[css]
+    bootstrap = "sha512-6MXa8B6uaO18Hid6blRMetEIoPqHf7Ux1tnyIQdpt9qI5OACx7C+O3IVTr98vwGnlcg0LOLa02i9Y1HpVhlfiw=="

layouts/partials/footer.html

@@ -1,9 +1,18 @@
-    <script src="//cdnjs.cloudflare.com/ajax/libs/gsap/1.18.4/TweenMax.min.js"></script>
-    <script src="//cdnjs.cloudflare.com/ajax/libs/gsap/latest/plugins/ScrollToPlugin.min.js"></script>
-    <script src="{{ "/js/jquery-1.12.3.min.js" | relURL }}"></script>
-    <script src="{{ "/js/bootstrap.min.js" | relURL }}"></script>
-    <script src="{{ "/js/isotope.pkgd.min.js" | relURL }}"></script>
+    {{ if not .Site.Params.disable_sri }}
+    {{ printf "<script src=\"https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js\" integrity=\"%s\" crossorigin=\"anonymous\"></script>" .Site.Data.sri.js.jQuery | safeHTML }}
+    {{ printf "<script src=\"https://cdnjs.cloudflare.com/ajax/libs/jquery.imagesloaded/4.1.1/imagesloaded.pkgd.min.js\" integrity=\"%s\" crossorigin=\"anonymous\"></script>" .Site.Data.sri.js.imagesLoaded | safeHTML }}
+    {{ printf "<script src=\"https://cdnjs.cloudflare.com/ajax/libs/gsap/1.18.4/TweenMax.min.js\" integrity=\"%s\" crossorigin=\"anonymous\"></script>" .Site.Data.sri.js.tweenMax| safeHTML }}
+    {{ printf "<script src=\"https://cdnjs.cloudflare.com/ajax/libs/gsap/1.19.1/plugins/ScrollToPlugin.min.js\" integrity=\"%s\" crossorigin=\"anonymous\"></script>" .Site.Data.sri.js.scrollToPlugin| safeHTML }}
+    {{ printf "<script src=\"https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js\" integrity=\"%s\" crossorigin=\"anonymous\"></script>" .Site.Data.sri.js.bootstrap | safeHTML }}
+    {{ printf "<script src=\"https://cdnjs.cloudflare.com/ajax/libs/jquery.isotope/3.0.4/isotope.pkgd.min.js\" integrity=\"%s\" crossorigin=\"anonymous\"></script>" .Site.Data.sri.js.isotope | safeHTML }}
+    {{ else }}
+    <script src="//cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>
     <script src="//cdnjs.cloudflare.com/ajax/libs/jquery.imagesloaded/4.1.1/imagesloaded.pkgd.min.js"></script>
+    <script src="//cdnjs.cloudflare.com/ajax/libs/gsap/1.18.4/TweenMax.min.js"></script>
+    <script src="//cdnjs.cloudflare.com/ajax/libs/gsap/1.19.1/plugins/ScrollToPlugin.min.js"></script>
+    <script src="//cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js"></script>
+    <script src="//cdnjs.cloudflare.com/ajax/libs/jquery.isotope/3.0.4/isotope.pkgd.min.js"></script>
+    {{ end }}
     <script src="{{ "/js/hugo-academic.js" | relURL }}"></script>
     {{ range .Site.Params.custom_js }}
     <script src="{{ "/js/" | relURL }}{{ . }}"></script>
@@ -56,8 +65,12 @@
     <script type="text/x-mathjax-config">
         MathJax.Hub.Config({ tex2jax: { inlineMath: [['$','$'], ['\\(','\\)']] } });
     </script>
+    {{ if not .Site.Params.disable_sri }}
+    {{ printf "<script src=\"https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.0/MathJax.js?config=TeX-AMS_CHTML\" integrity=\"%s\" crossorigin=\"anonymous\"></script>" .Site.Data.sri.js.mathJax | safeHTML }}
+    {{ else }}
     <script async src="//cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.0/MathJax.js?config=TeX-AMS_CHTML"></script>
     {{ end }}
+    {{ end }}
 
   </body>
 </html>

layouts/partials/header.html

@@ -26,9 +26,14 @@
     <link rel="stylesheet" href="{{ "/css/highlight.min.css" | relURL }}">
     {{ end }}
   {{ end }}
-  <link rel="stylesheet" href="{{ "/css/bootstrap.min.css" | relURL }}">
+  {{ if not .Site.Params.disable_sri }}
+  {{ printf "<link rel=\"stylesheet\" href=\"https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css\" integrity=\"%s\" crossorigin=\"anonymous\">" .Site.Data.sri.css.bootstrap | safeHTML }}
+  {{ else }}
+  <link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css">
+  {{ end }}
   <link rel="stylesheet" href="{{ "/css/font-awesome.min.css" | relURL }}">
   <link rel="stylesheet" href="{{ "/css/academicons.min.css" | relURL }}">
+  {{/* We cannot use SRI with Google Fonts because the CSS is dynamically generated according to the user agent */}}
   <link rel="stylesheet" href="//fonts.googleapis.com/css?family=Lato:400,700%7CMerriweather%7CRoboto+Mono">
   <link rel="stylesheet" href="{{ "/css/hugo-academic.css" | relURL }}">
   {{ range .Site.Params.custom_css }}