Mercurial: tests/test-hgweb-csp.t@526e4597cca5 (annotated)

30766 d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	1	#require serve
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	2
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	3	$ cat > web.conf << EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	4	> [paths]
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	5	> / = $TESTTMP/*
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	6	> EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	7
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	8	$ hg init repo1
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	9	$ cd repo1
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	10	$ touch foo
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	11	$ hg -q commit -A -m initial
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	12	$ cd ..
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	13
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	14	$ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	15	$ cat hg.pid >> $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	16
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	17	repo index should not send Content-Security-Policy header by default
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	18
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	19	$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	20	200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	21
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	22	static page should not send CSP by default
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	23
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	24	$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	25	200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	26
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	27	repo page should not send CSP by default, should send ETag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	28
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	29	$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	30	200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	31	etag: W/"*" (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	32
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	33	$ killdaemons.py
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	34
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	35	Configure CSP without nonce
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	36
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	37	$ cat >> web.conf << EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	38	> [web]
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	39	> csp = script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	40	> EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	41
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	42	$ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	43	$ cat hg.pid > $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	44
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	45	repo index should send Content-Security-Policy header when enabled
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	46
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	47	$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	48	200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	49	content-security-policy: script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	50
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	51	static page should send CSP when enabled
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	52
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	53	$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	54	200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	55	content-security-policy: script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	56
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	57	repo page should send CSP by default, include etag w/o nonce
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	58
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	59	$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	60	200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	61	content-security-policy: script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	62	etag: W/"*" (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	63
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	64	nonce should not be added to html if CSP doesn't use it
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	65
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	66	$ get-with-headers.py localhost:$HGPORT repo1/graph/tip \| egrep 'content-security-policy\|<script'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	67	<script type="text/javascript" src="/repo1/static/mercurial.js"></script>
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	68	<!--[if IE]><script type="text/javascript" src="/repo1/static/excanvas.js"></script><![endif]-->
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	69	<script type="text/javascript">
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	70	<script type="text/javascript">
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	71
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	72	Configure CSP with nonce
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	73
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	74	$ killdaemons.py
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	75	$ cat >> web.conf << EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	76	> csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	77	> EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	78
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	79	$ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	80	$ cat hg.pid > $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	81
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	82	nonce should be substituted in CSP header
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	83
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	84	$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	85	200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	86	content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	87
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	88	nonce should be included in CSP for static pages
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	89
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	90	$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	91	200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	92	content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	93
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	94	repo page should have nonce, no ETag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	95
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	96	$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	97	200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	98	content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	99
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	100	nonce should be added to html when used
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	101
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	102	$ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy \| egrep 'content-security-policy\|<script'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	103	content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	104	<script type="text/javascript" src="/repo1/static/mercurial.js"></script>
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	105	<!--[if IE]><script type="text/javascript" src="/repo1/static/excanvas.js"></script><![endif]-->
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	106	<script type="text/javascript" nonce="*"> (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	107	<script type="text/javascript" nonce="*"> (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	108
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	109	hgweb_mod w/o hgwebdir works as expected
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	110
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	111	$ killdaemons.py
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	112
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	113	$ hg -R repo1 serve -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'"
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	114	$ cat hg.pid > $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	115
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	116	static page sends CSP
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	117
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	118	$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	119	200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	120	content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	121
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	122	nonce included in <script> and headers
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	123
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	124	$ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy \| egrep 'content-security-policy\|<script'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	125	content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	126	<script type="text/javascript" src="/static/mercurial.js"></script>
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	127	<!--[if IE]><script type="text/javascript" src="/static/excanvas.js"></script><![endif]-->
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	128	<script type="text/javascript" nonce="*"> (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	129	<script type="text/javascript" nonce="*"> (glob)

author	Pulkit Goyal <7895pulkit@gmail.com>
	Fri, 07 Apr 2017 23:35:51 +0530
changeset 31843	526e4597cca5
parent 30766	d7bf7d2bd5ab
child 34483	a6d95a8b7243
permissions	-rw-r--r--