Start using SRI hashes for CSS/JS assets

Uses Hugo's site data mechanism to load pre-generated asset hashes.

data/sri.toml

@@ -0,0 +1,3 @@
+style = "sha384-qRVpIj9hSzsBhmO8Y7YEKF2UFra2sJQtl9V/uFKKDvy+Wjh9zgTku6VRgT8YdPoD"
+cookieconsentcss = "sha384-6iYDyQZuuNT7DcPJGXx241czdv2+GDGUcXRiqw1iXrjgYMTorSetxFP3JCMQMwnR"
+cookieconsentjs = "sha384-PDjg2ZdS3khPzd53i18+7tzB32JVQfFMrTXYo21RqPgUmEVAPwIhxOUF/8sP79CS"

layouts/_default/baseof.html

@@ -9,7 +9,7 @@
     <title>{{ block "title" . }}{{ .Site.Title }}{{ end }}</title>
 
     {{ "<!-- combined, minified CSS -->" | safeHTML }}
-    <link href="{{ .Site.BaseURL }}css/style.css" rel="stylesheet">
+    <link href="{{ .Site.BaseURL }}css/style.css" rel="stylesheet" integrity="{{ .Site.Data.sri.style}}" crossorigin="anonymous">
 
     {{ if .RSSLink }}
     {{ "<!-- RSS 2.0 feed -->" | safeHTML }}

layouts/partials/cookie-consent.html

@@ -1,5 +1,5 @@
-<link href="{{ .Site.BaseURL }}css/cookieconsent.min.css" rel="stylesheet" type="text/css">
-<script src="{{ .Site.BaseURL }}js/cookieconsent.min.js" async></script>
+<link href="{{ .Site.BaseURL }}css/cookieconsent.min.css" rel="stylesheet" type="text/css" integrity="{{ .Site.Data.sri.cookieconsentcss }}" crossorigin="anonymous">
+<script src="{{ .Site.BaseURL }}js/cookieconsent.min.js" integrity="{{ .Site.Data.sri.cookieconsentjs }}" crossorigin="anonymous" async></script>
 
 <script>
 window.addEventListener("load", function(){