tests/test-hgweb-csp.t
author Raphaël Gomès <rgomes@octobus.net>
Wed, 10 Jul 2019 09:57:28 +0200
changeset 42755 749ef8c31187
parent 37828 3e3acf5d6a07
child 50725 7e5be4a7cda7
permissions -rw-r--r--
rust-dirstate: call rust dirstatemap from Python Since Rust-backed Python classes cannot be used as baseclasses (for rust-cpython anyway), we use composition rather than inheritance. This also allows us to keep the IO operations in the Python side, removing (for now) the need to rewrite VFS in Rust, which would be a heavy undertaking. Differential Revision: https://phab.mercurial-scm.org/D6634
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
30766
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
     1
#require serve
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
     2
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
     3
  $ cat > web.conf << EOF
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
     4
  > [paths]
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
     5
  > / = $TESTTMP/*
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
     6
  > EOF
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
     7
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
     8
  $ hg init repo1
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
     9
  $ cd repo1
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    10
  $ touch foo
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    11
  $ hg -q commit -A -m initial
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    12
  $ cd ..
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    13
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    14
  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    15
  $ cat hg.pid >> $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    16
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    17
repo index should not send Content-Security-Policy header by default
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    18
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    19
  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    20
  200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    21
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    22
static page should not send CSP by default
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    23
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    24
  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    25
  200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    26
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    27
repo page should not send CSP by default, should send ETag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    28
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    29
  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    30
  200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    31
  etag: W/"*" (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    32
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    33
  $ killdaemons.py
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    34
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    35
Configure CSP without nonce
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    36
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    37
  $ cat >> web.conf << EOF
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    38
  > [web]
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    39
  > csp = script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    40
  > EOF
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    41
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    42
  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    43
  $ cat hg.pid > $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    44
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    45
repo index should send Content-Security-Policy header when enabled
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    46
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    47
  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    48
  200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    49
  content-security-policy: script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    50
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    51
static page should send CSP when enabled
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    52
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    53
  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    54
  200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    55
  content-security-policy: script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    56
37826
d105bbb74658 tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
Gregory Szorc <gregory.szorc@gmail.com>
parents: 35605
diff changeset
    57
  $ get-with-headers.py --twice --headeronly localhost:$HGPORT repo1/static/style.css content-security-policy
d105bbb74658 tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
Gregory Szorc <gregory.szorc@gmail.com>
parents: 35605
diff changeset
    58
  200 Script output follows
d105bbb74658 tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
Gregory Szorc <gregory.szorc@gmail.com>
parents: 35605
diff changeset
    59
  content-security-policy: script-src https://example.com/ 'unsafe-inline'
37828
3e3acf5d6a07 hgweb: allow Content-Security-Policy header on 304 responses (issue5844)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 37826
diff changeset
    60
  304 Not Modified
3e3acf5d6a07 hgweb: allow Content-Security-Policy header on 304 responses (issue5844)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 37826
diff changeset
    61
  content-security-policy: script-src https://example.com/ 'unsafe-inline'
37826
d105bbb74658 tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
Gregory Szorc <gregory.szorc@gmail.com>
parents: 35605
diff changeset
    62
30766
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    63
repo page should send CSP by default, include etag w/o nonce
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    64
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    65
  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    66
  200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    67
  content-security-policy: script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    68
  etag: W/"*" (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    69
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    70
nonce should not be added to html if CSP doesn't use it
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    71
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    72
  $ get-with-headers.py localhost:$HGPORT repo1/graph/tip | egrep 'content-security-policy|<script'
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    73
  <script type="text/javascript" src="/repo1/static/mercurial.js"></script>
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    74
  <script type="text/javascript">
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    75
  <script type="text/javascript">
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    76
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    77
Configure CSP with nonce
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    78
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    79
  $ killdaemons.py
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    80
  $ cat >> web.conf << EOF
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    81
  > csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    82
  > EOF
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    83
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    84
  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    85
  $ cat hg.pid > $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    86
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    87
nonce should be substituted in CSP header
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    88
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    89
  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    90
  200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    91
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    92
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    93
nonce should be included in CSP for static pages
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    94
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    95
  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    96
  200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    97
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    98
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
    99
repo page should have nonce, no ETag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   100
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   101
  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   102
  200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   103
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   104
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   105
nonce should be added to html when used
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   106
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   107
  $ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy | egrep 'content-security-policy|<script'
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   108
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   109
  <script type="text/javascript" src="/repo1/static/mercurial.js"></script>
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   110
  <script type="text/javascript" nonce="*"> (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   111
  <script type="text/javascript" nonce="*"> (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   112
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   113
hgweb_mod w/o hgwebdir works as expected
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   114
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   115
  $ killdaemons.py
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   116
34483
a6d95a8b7243 serve: make tests compatible with chg
Saurabh Singh <singhsrb@fb.com>
parents: 30766
diff changeset
   117
  $ hg serve -R repo1 -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'"
30766
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   118
  $ cat hg.pid > $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   119
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   120
static page sends CSP
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   121
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   122
  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   123
  200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   124
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   125
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   126
nonce included in <script> and headers
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   127
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   128
  $ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy  | egrep 'content-security-policy|<script'
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   129
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   130
  <script type="text/javascript" src="/static/mercurial.js"></script>
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   131
  <script type="text/javascript" nonce="*"> (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
   132
  <script type="text/javascript" nonce="*"> (glob)