diff -r eb7de21b15be -r d7bf7d2bd5ab tests/test-hgweb-csp.t
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/test-hgweb-csp.t Tue Jan 10 23:37:08 2017 -0800
@@ -0,0 +1,129 @@
+#require serve
+
+ $ cat > web.conf << EOF
+ > [paths]
+ > / = $TESTTMP/*
+ > EOF
+
+ $ hg init repo1
+ $ cd repo1
+ $ touch foo
+ $ hg -q commit -A -m initial
+ $ cd ..
+
+ $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
+ $ cat hg.pid >> $DAEMON_PIDS
+
+repo index should not send Content-Security-Policy header by default
+
+ $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
+ 200 Script output follows
+
+static page should not send CSP by default
+
+ $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
+ 200 Script output follows
+
+repo page should not send CSP by default, should send ETag
+
+ $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
+ 200 Script output follows
+ etag: W/"*" (glob)
+
+ $ killdaemons.py
+
+Configure CSP without nonce
+
+ $ cat >> web.conf << EOF
+ > [web]
+ > csp = script-src https://example.com/ 'unsafe-inline'
+ > EOF
+
+ $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
+ $ cat hg.pid > $DAEMON_PIDS
+
+repo index should send Content-Security-Policy header when enabled
+
+ $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
+ 200 Script output follows
+ content-security-policy: script-src https://example.com/ 'unsafe-inline'
+
+static page should send CSP when enabled
+
+ $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
+ 200 Script output follows
+ content-security-policy: script-src https://example.com/ 'unsafe-inline'
+
+repo page should send CSP by default, include etag w/o nonce
+
+ $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
+ 200 Script output follows
+ content-security-policy: script-src https://example.com/ 'unsafe-inline'
+ etag: W/"*" (glob)
+
+nonce should not be added to html if CSP doesn't use it
+
+ $ get-with-headers.py localhost:$HGPORT repo1/graph/tip | egrep 'content-security-policy|
+
+
+
+
+
+