Mercurial Mercurial > hg / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
tests/test-hgweb-csp.t
author Gregory Szorc <gregory.szorc@gmail.com>
Wed, 04 Apr 2018 21:27:02 -0700
changeset 37438 7b7ca9ba2de5
parent 35605 45a816361926
child 37826 d105bbb74658
permissions -rw-r--r--
commands: don't violate storage abstractions in `manifest --all` Previously, we asked the store to emit its data files. For modern repos, this would use fncache to resolve the set of files then would stat() each file. For my copy of the mozilla-unified repository, this took 3.3-10s depending on the state of my filesystem cache to render 449,790 items. The previous behavior was a massive layering violation because it assumed tracked files would have specific filenames in specific directories. Alternate storage backends would violate this assumption. The new behavior scans the changelog entries for the set of files changed by each commit. It aggregates them into a set and then sorts and prints the result. This reliably takes ~16.3s on my machine. ~80% of the time is spent in zlib decompression. The performance regression is unfortunate. If we want to claw it back, we can create a proper storage API to query for the set of tracked files. I'm not opposed to doing that. But I'm in no hurry because I suspect ~0 people care about the performance of `hg manifest --all`. .. perf:: `hg manifest --all` is likely slower due to changing its implementation to respect storage interface boundaries. If you are impacted by this regression in a meaningful way, please make noise on the development mailing list and it can be dealt with. Differential Revision: https://phab.mercurial-scm.org/D3119
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
30766
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset 
     1
 
#require serve
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset 
     2
 












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     3


  $ cat > web.conf << EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     4


  > [paths]













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     5


  > / = $TESTTMP/*













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     6


  > EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     7














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     8


  $ hg init repo1













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     9


  $ cd repo1













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    10


  $ touch foo













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    11


  $ hg -q commit -A -m initial













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    12


  $ cd ..













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    13














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    14


  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    15


  $ cat hg.pid >> $DAEMON_PIDS













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    16














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    17


repo index should not send Content-Security-Policy header by default













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    18














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    19


  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    20


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    21














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    22


static page should not send CSP by default













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    23














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    24


  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    25


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    26














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    27


repo page should not send CSP by default, should send ETag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    28














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    29


  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    30


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    31


  etag: W/"*" (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    32














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    33


  $ killdaemons.py













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    34














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    35


Configure CSP without nonce













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    36














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    37


  $ cat >> web.conf << EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    38


  > [web]













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    39


  > csp = script-src https://example.com/ 'unsafe-inline'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    40


  > EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    41














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    42


  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    43


  $ cat hg.pid > $DAEMON_PIDS













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    44














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    45


repo index should send Content-Security-Policy header when enabled













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    46














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    47


  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    48


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    49


  content-security-policy: script-src https://example.com/ 'unsafe-inline'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    50














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    51


static page should send CSP when enabled













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    52














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    53


  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    54


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    55


  content-security-policy: script-src https://example.com/ 'unsafe-inline'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    56














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    57


repo page should send CSP by default, include etag w/o nonce













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    58














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    59


  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    60


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    61


  content-security-policy: script-src https://example.com/ 'unsafe-inline'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    62


  etag: W/"*" (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    63














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    64


nonce should not be added to html if CSP doesn't use it













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    65














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    66


  $ get-with-headers.py localhost:$HGPORT repo1/graph/tip | egrep 'content-security-policy|<script'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    67


  <script type="text/javascript" src="/repo1/static/mercurial.js"></script>













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    68


  <script type="text/javascript">













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    69


  <script type="text/javascript">













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    70














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    71


Configure CSP with nonce













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    72














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    73


  $ killdaemons.py













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    74


  $ cat >> web.conf << EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    75


  > csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    76


  > EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    77














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    78


  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    79


  $ cat hg.pid > $DAEMON_PIDS













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    80














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    81


nonce should be substituted in CSP header













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    82














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    83


  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    84


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    85


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    86














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    87


nonce should be included in CSP for static pages













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    88














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    89


  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    90


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    91


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    92














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    93


repo page should have nonce, no ETag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    94














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    95


  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    96


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    97


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    98














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    99


nonce should be added to html when used













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   100














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   101


  $ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy | egrep 'content-security-policy|<script'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   102


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   103


  <script type="text/javascript" src="/repo1/static/mercurial.js"></script>













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   104


  <script type="text/javascript" nonce="*"> (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   105


  <script type="text/javascript" nonce="*"> (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   106














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   107


hgweb_mod w/o hgwebdir works as expected













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   108














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   109


  $ killdaemons.py













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   110









34483






a6d95a8b7243
serve: make tests compatible with chg



Saurabh Singh <singhsrb@fb.com>


parents: 
30766

diff
changeset




   111


  $ hg serve -R repo1 -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'"








30766






d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   112


  $ cat hg.pid > $DAEMON_PIDS













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   113














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   114


static page sends CSP













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   115














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   116


  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   117


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   118


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   119














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   120


nonce included in <script> and headers













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   121














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   122


  $ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy  | egrep 'content-security-policy|<script'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   123


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   124


  <script type="text/javascript" src="/static/mercurial.js"></script>













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   125


  <script type="text/javascript" nonce="*"> (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   126


  <script type="text/javascript" nonce="*"> (glob)















Mercurial