Mercurial Mercurial > hg / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
tests/test-hgweb-csp.t
author Pierre-Yves David <pierre-yves.david@octobus.net>
Tue, 16 Apr 2019 17:26:38 +0200
changeset 42159 4f9a89837f07
parent 37828 3e3acf5d6a07
child 50725 7e5be4a7cda7
permissions -rw-r--r--
setdiscovery: stop limiting the number of local head we initially send In our testing this limitation provides now real gain and instead triggers pathological discovery timing for some repository with many heads. See inline documentation for details. Some timing below: Mozilla try repository, (~1M revs, ~35K heads), discovery between 2 clones with 100 head missing on each side before: ! wall 1.492111 comb 1.490000 user 1.450000 sys 0.040000 (best of 20) ! wall 1.813992 comb 1.820000 user 1.700000 sys 0.120000 (max of 20) ! wall 1.574326 comb 1.573500 user 1.522000 sys 0.051500 (avg of 20) ! wall 1.572583 comb 1.570000 user 1.520000 sys 0.050000 (median of 20) after: ! wall 1.147834 comb 1.150000 user 1.090000 sys 0.060000 (best of 20) ! wall 1.449144 comb 1.450000 user 1.330000 sys 0.120000 (max of 20) ! wall 1.204618 comb 1.202500 user 1.146500 sys 0.056000 (avg of 20) ! wall 1.194407 comb 1.190000 user 1.140000 sys 0.050000 (median of 20) pypy (~100 heads, 317 heads) discovery between clones with only 42 common heads before: ! wall 0.031653 comb 0.030000 user 0.030000 sys 0.000000 (best of 25) ! wall 0.055719 comb 0.050000 user 0.040000 sys 0.010000 (max of 25) ! wall 0.038939 comb 0.039600 user 0.038400 sys 0.001200 (avg of 25) ! wall 0.038660 comb 0.050000 user 0.040000 sys 0.010000 (median of 25) after: ! wall 0.018754 comb 0.020000 user 0.020000 sys 0.000000 (best of 49) ! wall 0.034505 comb 0.040000 user 0.030000 sys 0.010000 (max of 49) ! wall 0.019631 comb 0.019796 user 0.018367 sys 0.001429 (avg of 49) ! wall 0.019132 comb 0.020000 user 0.020000 sys 0.000000 (median of 49) Private repository (~1M revs, ~3K heads), discovery from a strip subset, about 100 changesets to be pulled. before: ! wall 1.837729 comb 1.840000 user 1.790000 sys 0.050000 (best of 20) ! wall 2.203468 comb 2.200000 user 2.100000 sys 0.100000 (max of 20) ! wall 2.049355 comb 2.048500 user 2.002500 sys 0.046000 (avg of 20) ! wall 2.035315 comb 2.040000 user 2.000000 sys 0.040000 (median of 20) after: ! wall 0.136598 comb 0.130000 user 0.110000 sys 0.020000 (best of 20) ! wall 0.330519 comb 0.330000 user 0.260000 sys 0.070000 (max of 20) ! wall 0.157254 comb 0.155500 user 0.123000 sys 0.032500 (avg of 20) ! wall 0.149870 comb 0.140000 user 0.110000 sys 0.030000 (median of 20) Same private repo, discovery between two clone with 500 different heads on each side: before: ! wall 2.372919 comb 2.370000 user 2.320000 sys 0.050000 (best of 20) ! wall 2.622422 comb 2.610000 user 2.510000 sys 0.100000 (max of 20) ! wall 2.450135 comb 2.450000 user 2.402000 sys 0.048000 (avg of 20) ! wall 2.443896 comb 2.450000 user 2.410000 sys 0.040000 (median of 20) after: ! wall 0.625497 comb 0.620000 user 0.570000 sys 0.050000 (best of 20) ! wall 0.834723 comb 0.820000 user 0.730000 sys 0.090000 (max of 20) ! wall 0.675725 comb 0.675500 user 0.628000 sys 0.047500 (avg of 20) ! wall 0.671614 comb 0.680000 user 0.640000 sys 0.040000 (median of 20)
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
30766
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset 
     1
 
#require serve
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset 
     2
 












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     3


  $ cat > web.conf << EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     4


  > [paths]













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     5


  > / = $TESTTMP/*













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     6


  > EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     7














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     8


  $ hg init repo1













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     9


  $ cd repo1













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    10


  $ touch foo













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    11


  $ hg -q commit -A -m initial













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    12


  $ cd ..













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    13














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    14


  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    15


  $ cat hg.pid >> $DAEMON_PIDS













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    16














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    17


repo index should not send Content-Security-Policy header by default













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    18














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    19


  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    20


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    21














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    22


static page should not send CSP by default













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    23














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    24


  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    25


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    26














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    27


repo page should not send CSP by default, should send ETag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    28














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    29


  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    30


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    31


  etag: W/"*" (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    32














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    33


  $ killdaemons.py













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    34














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    35


Configure CSP without nonce













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    36














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    37


  $ cat >> web.conf << EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    38


  > [web]













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    39


  > csp = script-src https://example.com/ 'unsafe-inline'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    40


  > EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    41














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    42


  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    43


  $ cat hg.pid > $DAEMON_PIDS













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    44














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    45


repo index should send Content-Security-Policy header when enabled













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    46














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    47


  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    48


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    49


  content-security-policy: script-src https://example.com/ 'unsafe-inline'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    50














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    51


static page should send CSP when enabled













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    52














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    53


  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    54


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    55


  content-security-policy: script-src https://example.com/ 'unsafe-inline'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    56









37826






d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir



Gregory Szorc <gregory.szorc@gmail.com>


parents: 
35605

diff
changeset




    57


  $ get-with-headers.py --twice --headeronly localhost:$HGPORT repo1/static/style.css content-security-policy













d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir



Gregory Szorc <gregory.szorc@gmail.com>


parents: 
35605

diff
changeset




    58


  200 Script output follows













d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir



Gregory Szorc <gregory.szorc@gmail.com>


parents: 
35605

diff
changeset




    59


  content-security-policy: script-src https://example.com/ 'unsafe-inline'








37828






3e3acf5d6a07
hgweb: allow Content-Security-Policy header on 304 responses (issue5844)



Gregory Szorc <gregory.szorc@gmail.com>


parents: 
37826

diff
changeset




    60


  304 Not Modified













3e3acf5d6a07
hgweb: allow Content-Security-Policy header on 304 responses (issue5844)



Gregory Szorc <gregory.szorc@gmail.com>


parents: 
37826

diff
changeset




    61


  content-security-policy: script-src https://example.com/ 'unsafe-inline'








37826






d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir



Gregory Szorc <gregory.szorc@gmail.com>


parents: 
35605

diff
changeset




    62









30766






d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    63


repo page should send CSP by default, include etag w/o nonce













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    64














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    65


  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    66


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    67


  content-security-policy: script-src https://example.com/ 'unsafe-inline'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    68


  etag: W/"*" (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    69














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    70


nonce should not be added to html if CSP doesn't use it













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    71














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    72


  $ get-with-headers.py localhost:$HGPORT repo1/graph/tip | egrep 'content-security-policy|<script'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    73


  <script type="text/javascript" src="/repo1/static/mercurial.js"></script>













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    74


  <script type="text/javascript">













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    75


  <script type="text/javascript">













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    76














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    77


Configure CSP with nonce













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    78














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    79


  $ killdaemons.py













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    80


  $ cat >> web.conf << EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    81


  > csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    82


  > EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    83














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    84


  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    85


  $ cat hg.pid > $DAEMON_PIDS













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    86














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    87


nonce should be substituted in CSP header













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    88














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    89


  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    90


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    91


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    92














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    93


nonce should be included in CSP for static pages













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    94














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    95


  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    96


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    97


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    98














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    99


repo page should have nonce, no ETag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   100














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   101


  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   102


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   103


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   104














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   105


nonce should be added to html when used













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   106














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   107


  $ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy | egrep 'content-security-policy|<script'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   108


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   109


  <script type="text/javascript" src="/repo1/static/mercurial.js"></script>













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   110


  <script type="text/javascript" nonce="*"> (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   111


  <script type="text/javascript" nonce="*"> (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   112














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   113


hgweb_mod w/o hgwebdir works as expected













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   114














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   115


  $ killdaemons.py













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   116









34483






a6d95a8b7243
serve: make tests compatible with chg



Saurabh Singh <singhsrb@fb.com>


parents: 
30766

diff
changeset




   117


  $ hg serve -R repo1 -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'"








30766






d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   118


  $ cat hg.pid > $DAEMON_PIDS













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   119














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   120


static page sends CSP













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   121














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   122


  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   123


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   124


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   125














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   126


nonce included in <script> and headers













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   127














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   128


  $ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy  | egrep 'content-security-policy|<script'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   129


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   130


  <script type="text/javascript" src="/static/mercurial.js"></script>













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   131


  <script type="text/javascript" nonce="*"> (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   132


  <script type="text/javascript" nonce="*"> (glob)















Mercurial