Mercurial > hg
annotate tests/test-hgweb-csp.t @ 42943:5fadf6103790
remotefilelog: replace repack lock to solve race condition
2c74337e6483 reduced the probability of race-conditions when starting
background repack and prefetch and we saw the difference in our CI instance
with all failures disappearing except one where one call to waitonrepack seems
to returns too early.
I'm not sure what exactly goes wrong but I realized that while the prefetch
operation uses a standard Mercurial lock, the repack operation is using a
custom lock based on `fcntl.flock` on available platforms. As `extutil.flock`
fallback on traditional Mercurial locks on other platforms and the tests are
stable on my laptop, our CI environment and GCC112, I'm sending this patch to
standardize the behavior across environments.
Differential Revision: https://phab.mercurial-scm.org/D6844
author | Boris Feld <boris.feld@octobus.net> |
---|---|
date | Wed, 11 Sep 2019 17:41:13 +0200 |
parents | 3e3acf5d6a07 |
children | 7e5be4a7cda7 |
rev | line source |
---|---|
30766
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
1 #require serve |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
2 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
3 $ cat > web.conf << EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
4 > [paths] |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
5 > / = $TESTTMP/* |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
6 > EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
7 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
8 $ hg init repo1 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
9 $ cd repo1 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
10 $ touch foo |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
11 $ hg -q commit -A -m initial |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
12 $ cd .. |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
13 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
14 $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
15 $ cat hg.pid >> $DAEMON_PIDS |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
16 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
17 repo index should not send Content-Security-Policy header by default |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
18 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
19 $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
20 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
21 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
22 static page should not send CSP by default |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
23 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
24 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
25 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
26 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
27 repo page should not send CSP by default, should send ETag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
28 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
29 $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
30 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
31 etag: W/"*" (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
32 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
33 $ killdaemons.py |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
34 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
35 Configure CSP without nonce |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
36 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
37 $ cat >> web.conf << EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
38 > [web] |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
39 > csp = script-src https://example.com/ 'unsafe-inline' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
40 > EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
41 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
42 $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
43 $ cat hg.pid > $DAEMON_PIDS |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
44 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
45 repo index should send Content-Security-Policy header when enabled |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
46 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
47 $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
48 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
49 content-security-policy: script-src https://example.com/ 'unsafe-inline' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
50 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
51 static page should send CSP when enabled |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
52 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
53 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
54 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
55 content-security-policy: script-src https://example.com/ 'unsafe-inline' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
56 |
37826
d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
Gregory Szorc <gregory.szorc@gmail.com>
parents:
35605
diff
changeset
|
57 $ get-with-headers.py --twice --headeronly localhost:$HGPORT repo1/static/style.css content-security-policy |
d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
Gregory Szorc <gregory.szorc@gmail.com>
parents:
35605
diff
changeset
|
58 200 Script output follows |
d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
Gregory Szorc <gregory.szorc@gmail.com>
parents:
35605
diff
changeset
|
59 content-security-policy: script-src https://example.com/ 'unsafe-inline' |
37828
3e3acf5d6a07
hgweb: allow Content-Security-Policy header on 304 responses (issue5844)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
37826
diff
changeset
|
60 304 Not Modified |
3e3acf5d6a07
hgweb: allow Content-Security-Policy header on 304 responses (issue5844)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
37826
diff
changeset
|
61 content-security-policy: script-src https://example.com/ 'unsafe-inline' |
37826
d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
Gregory Szorc <gregory.szorc@gmail.com>
parents:
35605
diff
changeset
|
62 |
30766
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
63 repo page should send CSP by default, include etag w/o nonce |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
64 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
65 $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
66 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
67 content-security-policy: script-src https://example.com/ 'unsafe-inline' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
68 etag: W/"*" (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
69 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
70 nonce should not be added to html if CSP doesn't use it |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
71 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
72 $ get-with-headers.py localhost:$HGPORT repo1/graph/tip | egrep 'content-security-policy|<script' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
73 <script type="text/javascript" src="/repo1/static/mercurial.js"></script> |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
74 <script type="text/javascript"> |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
75 <script type="text/javascript"> |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
76 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
77 Configure CSP with nonce |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
78 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
79 $ killdaemons.py |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
80 $ cat >> web.conf << EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
81 > csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
82 > EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
83 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
84 $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
85 $ cat hg.pid > $DAEMON_PIDS |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
86 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
87 nonce should be substituted in CSP header |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
88 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
89 $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
90 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
91 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
92 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
93 nonce should be included in CSP for static pages |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
94 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
95 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
96 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
97 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
98 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
99 repo page should have nonce, no ETag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
100 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
101 $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
102 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
103 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
104 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
105 nonce should be added to html when used |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
106 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
107 $ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy | egrep 'content-security-policy|<script' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
108 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
109 <script type="text/javascript" src="/repo1/static/mercurial.js"></script> |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
110 <script type="text/javascript" nonce="*"> (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
111 <script type="text/javascript" nonce="*"> (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
112 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
113 hgweb_mod w/o hgwebdir works as expected |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
114 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
115 $ killdaemons.py |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
116 |
34483
a6d95a8b7243
serve: make tests compatible with chg
Saurabh Singh <singhsrb@fb.com>
parents:
30766
diff
changeset
|
117 $ hg serve -R repo1 -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'" |
30766
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
118 $ cat hg.pid > $DAEMON_PIDS |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
119 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
120 static page sends CSP |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
121 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
122 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
123 200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
124 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
125 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
126 nonce included in <script> and headers |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
127 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
128 $ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy | egrep 'content-security-policy|<script' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
129 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
130 <script type="text/javascript" src="/static/mercurial.js"></script> |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
131 <script type="text/javascript" nonce="*"> (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
132 <script type="text/javascript" nonce="*"> (glob) |