Mercurial > hg
annotate tests/test-hgweb-csp.t @ 38178:3790efb388ca stable
lfs: bypass wrapped functions when reposetup() hasn't been called (issue5902)
There are only a handful of methods that access repo attributes that are applied
in reposetup(). The `diff` test covers all of the commands that call
scmutil.prefetchfiles(). Along the way, I saw that adding files and upgrading
the repo format were also problems (also tested here).
I don't think running `hg serve` through the commandserver is sane, but I
conditionalized both the capabilities and the wsgirequest handler because it's
trivially correct. It doesn't look like there has ever been a caller of
candownload(), so there's no test for that path.
The upload case isn't testable, because uploadblobs() bails if there are no
pointers. The requirement should be added any time pointers are introduced, and
that would force the extension to be loaded specifically for the repo. This
covers `debuglfsupload`, the pre-push hook (which isn't set until the repo is
promoted to LFS), and uploadblobsfromrevs(), which can be called by other
extensions.
I think readfromstore() and writetostore() are only reachable as a flag
processor for revlog.REVIDX_EXTSTORED, and a requirement is added as soon as
that is seen, so I don't think those are a problem.
author | Matt Harbison <matt_harbison@yahoo.com> |
---|---|
date | Thu, 31 May 2018 09:19:09 -0400 |
parents | 3e3acf5d6a07 |
children | 7e5be4a7cda7 |
rev | line source |
---|---|
30766
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
1 #require serve |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
2 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
3 $ cat > web.conf << EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
4 > [paths] |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
5 > / = $TESTTMP/* |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
6 > EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
7 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
8 $ hg init repo1 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
9 $ cd repo1 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
10 $ touch foo |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
11 $ hg -q commit -A -m initial |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
12 $ cd .. |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
13 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
14 $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
15 $ cat hg.pid >> $DAEMON_PIDS |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
16 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
17 repo index should not send Content-Security-Policy header by default |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
18 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
19 $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
20 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
21 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
22 static page should not send CSP by default |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
23 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
24 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
25 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
26 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
27 repo page should not send CSP by default, should send ETag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
28 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
29 $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
30 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
31 etag: W/"*" (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
32 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
33 $ killdaemons.py |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
34 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
35 Configure CSP without nonce |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
36 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
37 $ cat >> web.conf << EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
38 > [web] |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
39 > csp = script-src https://example.com/ 'unsafe-inline' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
40 > EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
41 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
42 $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
43 $ cat hg.pid > $DAEMON_PIDS |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
44 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
45 repo index should send Content-Security-Policy header when enabled |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
46 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
47 $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
48 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
49 content-security-policy: script-src https://example.com/ 'unsafe-inline' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
50 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
51 static page should send CSP when enabled |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
52 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
53 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
54 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
55 content-security-policy: script-src https://example.com/ 'unsafe-inline' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
56 |
37826
d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
Gregory Szorc <gregory.szorc@gmail.com>
parents:
35605
diff
changeset
|
57 $ get-with-headers.py --twice --headeronly localhost:$HGPORT repo1/static/style.css content-security-policy |
d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
Gregory Szorc <gregory.szorc@gmail.com>
parents:
35605
diff
changeset
|
58 200 Script output follows |
d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
Gregory Szorc <gregory.szorc@gmail.com>
parents:
35605
diff
changeset
|
59 content-security-policy: script-src https://example.com/ 'unsafe-inline' |
37828
3e3acf5d6a07
hgweb: allow Content-Security-Policy header on 304 responses (issue5844)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
37826
diff
changeset
|
60 304 Not Modified |
3e3acf5d6a07
hgweb: allow Content-Security-Policy header on 304 responses (issue5844)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
37826
diff
changeset
|
61 content-security-policy: script-src https://example.com/ 'unsafe-inline' |
37826
d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
Gregory Szorc <gregory.szorc@gmail.com>
parents:
35605
diff
changeset
|
62 |
30766
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
63 repo page should send CSP by default, include etag w/o nonce |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
64 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
65 $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
66 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
67 content-security-policy: script-src https://example.com/ 'unsafe-inline' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
68 etag: W/"*" (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
69 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
70 nonce should not be added to html if CSP doesn't use it |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
71 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
72 $ get-with-headers.py localhost:$HGPORT repo1/graph/tip | egrep 'content-security-policy|<script' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
73 <script type="text/javascript" src="/repo1/static/mercurial.js"></script> |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
74 <script type="text/javascript"> |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
75 <script type="text/javascript"> |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
76 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
77 Configure CSP with nonce |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
78 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
79 $ killdaemons.py |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
80 $ cat >> web.conf << EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
81 > csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
82 > EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
83 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
84 $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
85 $ cat hg.pid > $DAEMON_PIDS |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
86 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
87 nonce should be substituted in CSP header |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
88 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
89 $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
90 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
91 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
92 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
93 nonce should be included in CSP for static pages |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
94 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
95 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
96 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
97 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
98 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
99 repo page should have nonce, no ETag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
100 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
101 $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
102 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
103 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
104 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
105 nonce should be added to html when used |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
106 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
107 $ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy | egrep 'content-security-policy|<script' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
108 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
109 <script type="text/javascript" src="/repo1/static/mercurial.js"></script> |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
110 <script type="text/javascript" nonce="*"> (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
111 <script type="text/javascript" nonce="*"> (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
112 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
113 hgweb_mod w/o hgwebdir works as expected |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
114 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
115 $ killdaemons.py |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
116 |
34483
a6d95a8b7243
serve: make tests compatible with chg
Saurabh Singh <singhsrb@fb.com>
parents:
30766
diff
changeset
|
117 $ hg serve -R repo1 -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'" |
30766
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
118 $ cat hg.pid > $DAEMON_PIDS |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
119 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
120 static page sends CSP |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
121 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
122 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
123 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
124 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
125 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
126 nonce included in <script> and headers |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
127 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
128 $ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy | egrep 'content-security-policy|<script' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
129 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
130 <script type="text/javascript" src="/static/mercurial.js"></script> |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
131 <script type="text/javascript" nonce="*"> (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
132 <script type="text/javascript" nonce="*"> (glob) |