Mercurial: tests/test-hgweb-csp.t annotate

annotate tests/test-hgweb-csp.t @ 33299:41448fc51510

sparse: variable to track if sparse is enabled Currently, the sparse extension sniffs repo instances for attributes defined by the sparse extension to determine if sparse is enabled. As we move code away from repo instances, these checks will be a bit more brittle. We introduce a module-level variable to track whether sparse is enabled as a temporary workaround.

author	Gregory Szorc <gregory.szorc@gmail.com>
date	Thu, 06 Jul 2017 12:06:37 -0700
parents	d7bf7d2bd5ab
children	a6d95a8b7243

rev	line source
30766 d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	1 #require serve
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	2
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	3 $ cat > web.conf << EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	4 > [paths]
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	5 > / = $TESTTMP/*
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	6 > EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	7
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	8 $ hg init repo1
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	9 $ cd repo1
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	10 $ touch foo
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	11 $ hg -q commit -A -m initial
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	12 $ cd ..
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	13
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	14 $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	15 $ cat hg.pid >> $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	16
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	17 repo index should not send Content-Security-Policy header by default
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	18
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	19 $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	20 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	21
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	22 static page should not send CSP by default
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	23
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	24 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	25 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	26
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	27 repo page should not send CSP by default, should send ETag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	28
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	29 $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	30 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	31 etag: W/"*" (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	32
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	33 $ killdaemons.py
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	34
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	35 Configure CSP without nonce
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	36
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	37 $ cat >> web.conf << EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	38 > [web]
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	39 > csp = script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	40 > EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	41
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	42 $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	43 $ cat hg.pid > $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	44
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	45 repo index should send Content-Security-Policy header when enabled
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	46
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	47 $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	48 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	49 content-security-policy: script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	50
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	51 static page should send CSP when enabled
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	52
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	53 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	54 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	55 content-security-policy: script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	56
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	57 repo page should send CSP by default, include etag w/o nonce
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	58
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	59 $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	60 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	61 content-security-policy: script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	62 etag: W/"*" (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	63
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	64 nonce should not be added to html if CSP doesn't use it
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	65
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	66 $ get-with-headers.py localhost:$HGPORT repo1/graph/tip \| egrep 'content-security-policy\|<script'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	67 <script type="text/javascript" src="/repo1/static/mercurial.js"></script>
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	68 <!--[if IE]><script type="text/javascript" src="/repo1/static/excanvas.js"></script><![endif]-->
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	69 <script type="text/javascript">
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	70 <script type="text/javascript">
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	71
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	72 Configure CSP with nonce
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	73
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	74 $ killdaemons.py
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	75 $ cat >> web.conf << EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	76 > csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	77 > EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	78
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	79 $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	80 $ cat hg.pid > $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	81
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	82 nonce should be substituted in CSP header
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	83
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	84 $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	85 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	86 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	87
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	88 nonce should be included in CSP for static pages
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	89
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	90 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	91 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	92 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	93
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	94 repo page should have nonce, no ETag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	95
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	96 $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	97 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	98 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	99
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	100 nonce should be added to html when used
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	101
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	102 $ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy \| egrep 'content-security-policy\|<script'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	103 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	104 <script type="text/javascript" src="/repo1/static/mercurial.js"></script>
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	105 <!--[if IE]><script type="text/javascript" src="/repo1/static/excanvas.js"></script><![endif]-->
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	106 <script type="text/javascript" nonce="*"> (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	107 <script type="text/javascript" nonce="*"> (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	108
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	109 hgweb_mod w/o hgwebdir works as expected
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	110
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	111 $ killdaemons.py
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	112
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	113 $ hg -R repo1 serve -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'"
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	114 $ cat hg.pid > $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	115
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	116 static page sends CSP
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	117
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	118 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	119 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	120 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	121
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	122 nonce included in <script> and headers
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	123
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	124 $ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy \| egrep 'content-security-policy\|<script'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	125 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	126 <script type="text/javascript" src="/static/mercurial.js"></script>
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	127 <!--[if IE]><script type="text/javascript" src="/static/excanvas.js"></script><![endif]-->
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	128 <script type="text/javascript" nonce="*"> (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	129 <script type="text/javascript" nonce="*"> (glob)

Mercurial > hg

annotate tests/test-hgweb-csp.t @ 33299:41448fc51510