Mercurial > hg
annotate tests/test-hgweb-csp.t @ 40425:5e5c8f2a1eb5
branchmap: do not specify changelog as an argument
Since (unfiltered)repo.changelog lookup gets as fast as __dict__ lookup,
there's no point to pass in changelog instance.
$ hg perfbranchmap --clear-revbranch -R mozilla-central
! base
(orig) wall 20.593091 comb 20.600000 user 20.520000 sys 0.080000 (best of 3)
(this) wall 20.129126 comb 20.130000 user 20.020000 sys 0.110000 (best of 3)
This backs out most of the changes in 76d4272bd57b and 47c03042cd1d.
author | Yuya Nishihara <yuya@tcha.org> |
---|---|
date | Tue, 23 Oct 2018 21:11:13 +0900 |
parents | 3e3acf5d6a07 |
children | 7e5be4a7cda7 |
rev | line source |
---|---|
30766
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
1 #require serve |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
2 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
3 $ cat > web.conf << EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
4 > [paths] |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
5 > / = $TESTTMP/* |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
6 > EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
7 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
8 $ hg init repo1 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
9 $ cd repo1 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
10 $ touch foo |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
11 $ hg -q commit -A -m initial |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
12 $ cd .. |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
13 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
14 $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
15 $ cat hg.pid >> $DAEMON_PIDS |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
16 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
17 repo index should not send Content-Security-Policy header by default |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
18 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
19 $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
20 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
21 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
22 static page should not send CSP by default |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
23 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
24 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
25 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
26 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
27 repo page should not send CSP by default, should send ETag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
28 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
29 $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
30 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
31 etag: W/"*" (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
32 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
33 $ killdaemons.py |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
34 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
35 Configure CSP without nonce |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
36 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
37 $ cat >> web.conf << EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
38 > [web] |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
39 > csp = script-src https://example.com/ 'unsafe-inline' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
40 > EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
41 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
42 $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
43 $ cat hg.pid > $DAEMON_PIDS |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
44 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
45 repo index should send Content-Security-Policy header when enabled |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
46 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
47 $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
48 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
49 content-security-policy: script-src https://example.com/ 'unsafe-inline' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
50 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
51 static page should send CSP when enabled |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
52 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
53 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
54 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
55 content-security-policy: script-src https://example.com/ 'unsafe-inline' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
56 |
37826
d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
Gregory Szorc <gregory.szorc@gmail.com>
parents:
35605
diff
changeset
|
57 $ get-with-headers.py --twice --headeronly localhost:$HGPORT repo1/static/style.css content-security-policy |
d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
Gregory Szorc <gregory.szorc@gmail.com>
parents:
35605
diff
changeset
|
58 200 Script output follows |
d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
Gregory Szorc <gregory.szorc@gmail.com>
parents:
35605
diff
changeset
|
59 content-security-policy: script-src https://example.com/ 'unsafe-inline' |
37828
3e3acf5d6a07
hgweb: allow Content-Security-Policy header on 304 responses (issue5844)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
37826
diff
changeset
|
60 304 Not Modified |
3e3acf5d6a07
hgweb: allow Content-Security-Policy header on 304 responses (issue5844)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
37826
diff
changeset
|
61 content-security-policy: script-src https://example.com/ 'unsafe-inline' |
37826
d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
Gregory Szorc <gregory.szorc@gmail.com>
parents:
35605
diff
changeset
|
62 |
30766
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
63 repo page should send CSP by default, include etag w/o nonce |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
64 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
65 $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
66 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
67 content-security-policy: script-src https://example.com/ 'unsafe-inline' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
68 etag: W/"*" (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
69 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
70 nonce should not be added to html if CSP doesn't use it |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
71 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
72 $ get-with-headers.py localhost:$HGPORT repo1/graph/tip | egrep 'content-security-policy|<script' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
73 <script type="text/javascript" src="/repo1/static/mercurial.js"></script> |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
74 <script type="text/javascript"> |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
75 <script type="text/javascript"> |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
76 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
77 Configure CSP with nonce |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
78 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
79 $ killdaemons.py |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
80 $ cat >> web.conf << EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
81 > csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
82 > EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
83 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
84 $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
85 $ cat hg.pid > $DAEMON_PIDS |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
86 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
87 nonce should be substituted in CSP header |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
88 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
89 $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
90 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
91 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
92 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
93 nonce should be included in CSP for static pages |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
94 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
95 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
96 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
97 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
98 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
99 repo page should have nonce, no ETag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
100 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
101 $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
102 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
103 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
104 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
105 nonce should be added to html when used |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
106 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
107 $ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy | egrep 'content-security-policy|<script' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
108 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
109 <script type="text/javascript" src="/repo1/static/mercurial.js"></script> |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
110 <script type="text/javascript" nonce="*"> (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
111 <script type="text/javascript" nonce="*"> (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
112 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
113 hgweb_mod w/o hgwebdir works as expected |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
114 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
115 $ killdaemons.py |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
116 |
34483
a6d95a8b7243
serve: make tests compatible with chg
Saurabh Singh <singhsrb@fb.com>
parents:
30766
diff
changeset
|
117 $ hg serve -R repo1 -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'" |
30766
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
118 $ cat hg.pid > $DAEMON_PIDS |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
119 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
120 static page sends CSP |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
121 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
122 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
123 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
124 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
125 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
126 nonce included in <script> and headers |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
127 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
128 $ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy | egrep 'content-security-policy|<script' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
129 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
130 <script type="text/javascript" src="/static/mercurial.js"></script> |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
131 <script type="text/javascript" nonce="*"> (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
132 <script type="text/javascript" nonce="*"> (glob) |