Mercurial Mercurial > hg-stable / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
tests/test-hgweb-csp.t
author C. Masloch <pushbx@ulukai.org>
Wed, 20 Apr 2022 19:24:39 +0200
changeset 49473 cfff73cab721
parent 37828 3e3acf5d6a07
child 50722 7e5be4a7cda7
permissions -rw-r--r--
rebase: add boolean config item rebase.store-source This allows to use rebase without recording a rebase_source extra field. This is useful for example to build a mirror converted from another SCM (such as svn) by converting only new revisions, and then incrementally add them to the destination by pulling from the newly converted (unrelated) repo and rebasing the new revisions onto the last old already stored changeset. Without this patch the rebased changesets would always receive some rebase_source that would depend on the particular history of the conversion process, instead of only depending on the original source revisions. This is used to implement a hg mirror repo of SvarDOS (a partially nonfree but completely redistributable DOS distribution) in the scripts at https://hg.pushbx.org/ecm/svardos.scr/ In particular, cre.sh creates an svn mirror, upd.sh recreates an entire hg repo from the svn mirror (which takes too long to do in a regular job), and akt.sh uses hg convert with the config item convert.svn.startrev to incrementally convert only the two most recent revisions already found in the mirror destination plus any possible new revisions. If any are found, the temporary repo's changesets are pulled into the destination (as changesets from an unrelated repository). Then the changesets corresponding to the new revisions are rebased onto the prior final changeset. (Finally, the two remaining duplicates of the prior head and its parent are stripped from the destination repository.) Without this patch, the particular rebase_source extra field would depend on the order and times at which akt.sh was used, instead of only depending on the source repository. In other words, whatever sequence of upd.sh and akt.sh is used at whatever times, it is desired that the final output repositories always match each other exactly.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
30766
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset 
     1
 
#require serve
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset 
     2
 












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     3


  $ cat > web.conf << EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     4


  > [paths]













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     5


  > / = $TESTTMP/*













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     6


  > EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     7














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     8


  $ hg init repo1













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     9


  $ cd repo1













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    10


  $ touch foo













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    11


  $ hg -q commit -A -m initial













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    12


  $ cd ..













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    13














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    14


  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    15


  $ cat hg.pid >> $DAEMON_PIDS













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    16














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    17


repo index should not send Content-Security-Policy header by default













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    18














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    19


  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    20


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    21














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    22


static page should not send CSP by default













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    23














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    24


  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    25


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    26














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    27


repo page should not send CSP by default, should send ETag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    28














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    29


  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    30


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    31


  etag: W/"*" (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    32














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    33


  $ killdaemons.py













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    34














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    35


Configure CSP without nonce













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    36














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    37


  $ cat >> web.conf << EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    38


  > [web]













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    39


  > csp = script-src https://example.com/ 'unsafe-inline'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    40


  > EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    41














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    42


  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    43


  $ cat hg.pid > $DAEMON_PIDS













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    44














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    45


repo index should send Content-Security-Policy header when enabled













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    46














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    47


  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    48


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    49


  content-security-policy: script-src https://example.com/ 'unsafe-inline'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    50














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    51


static page should send CSP when enabled













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    52














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    53


  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    54


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    55


  content-security-policy: script-src https://example.com/ 'unsafe-inline'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    56









37826






d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir



Gregory Szorc <gregory.szorc@gmail.com>


parents: 
35605

diff
changeset




    57


  $ get-with-headers.py --twice --headeronly localhost:$HGPORT repo1/static/style.css content-security-policy













d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir



Gregory Szorc <gregory.szorc@gmail.com>


parents: 
35605

diff
changeset




    58


  200 Script output follows













d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir



Gregory Szorc <gregory.szorc@gmail.com>


parents: 
35605

diff
changeset




    59


  content-security-policy: script-src https://example.com/ 'unsafe-inline'








37828






3e3acf5d6a07
hgweb: allow Content-Security-Policy header on 304 responses (issue5844)



Gregory Szorc <gregory.szorc@gmail.com>


parents: 
37826

diff
changeset




    60


  304 Not Modified













3e3acf5d6a07
hgweb: allow Content-Security-Policy header on 304 responses (issue5844)



Gregory Szorc <gregory.szorc@gmail.com>


parents: 
37826

diff
changeset




    61


  content-security-policy: script-src https://example.com/ 'unsafe-inline'








37826






d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir



Gregory Szorc <gregory.szorc@gmail.com>


parents: 
35605

diff
changeset




    62









30766






d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    63


repo page should send CSP by default, include etag w/o nonce













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    64














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    65


  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    66


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    67


  content-security-policy: script-src https://example.com/ 'unsafe-inline'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    68


  etag: W/"*" (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    69














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    70


nonce should not be added to html if CSP doesn't use it













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    71














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    72


  $ get-with-headers.py localhost:$HGPORT repo1/graph/tip | egrep 'content-security-policy|<script'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    73


  <script type="text/javascript" src="/repo1/static/mercurial.js"></script>













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    74


  <script type="text/javascript">













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    75


  <script type="text/javascript">













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    76














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    77


Configure CSP with nonce













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    78














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    79


  $ killdaemons.py













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    80


  $ cat >> web.conf << EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    81


  > csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    82


  > EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    83














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    84


  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    85


  $ cat hg.pid > $DAEMON_PIDS













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    86














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    87


nonce should be substituted in CSP header













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    88














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    89


  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    90


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    91


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    92














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    93


nonce should be included in CSP for static pages













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    94














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    95


  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    96


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    97


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    98














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    99


repo page should have nonce, no ETag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   100














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   101


  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   102


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   103


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   104














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   105


nonce should be added to html when used













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   106














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   107


  $ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy | egrep 'content-security-policy|<script'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   108


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   109


  <script type="text/javascript" src="/repo1/static/mercurial.js"></script>













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   110


  <script type="text/javascript" nonce="*"> (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   111


  <script type="text/javascript" nonce="*"> (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   112














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   113


hgweb_mod w/o hgwebdir works as expected













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   114














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   115


  $ killdaemons.py













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   116









34483






a6d95a8b7243
serve: make tests compatible with chg



Saurabh Singh <singhsrb@fb.com>


parents: 
30766

diff
changeset




   117


  $ hg serve -R repo1 -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'"








30766






d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   118


  $ cat hg.pid > $DAEMON_PIDS













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   119














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   120


static page sends CSP













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   121














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   122


  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   123


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   124


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   125














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   126


nonce included in <script> and headers













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   127














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   128


  $ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy  | egrep 'content-security-policy|<script'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   129


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   130


  <script type="text/javascript" src="/static/mercurial.js"></script>













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   131


  <script type="text/javascript" nonce="*"> (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   132


  <script type="text/javascript" nonce="*"> (glob)















hg-stable