annotate tests/test-hgweb-csp.t @ 32884:9d472b219fb0

obsolete: use ProgrammingError over assert for volatile set registration We have ProgrammingError now.
author Pierre-Yves David <pierre-yves.david@ens-lyon.org>
date Mon, 01 May 2017 05:57:36 +0200
parents d7bf7d2bd5ab
children a6d95a8b7243
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
30766
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
1 #require serve
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
2
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
3 $ cat > web.conf << EOF
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
4 > [paths]
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
5 > / = $TESTTMP/*
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
6 > EOF
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
7
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
8 $ hg init repo1
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
9 $ cd repo1
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
10 $ touch foo
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
11 $ hg -q commit -A -m initial
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
12 $ cd ..
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
13
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
14 $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
15 $ cat hg.pid >> $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
16
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
17 repo index should not send Content-Security-Policy header by default
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
18
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
19 $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
20 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
21
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
22 static page should not send CSP by default
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
23
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
24 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
25 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
26
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
27 repo page should not send CSP by default, should send ETag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
28
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
29 $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
30 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
31 etag: W/"*" (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
32
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
33 $ killdaemons.py
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
34
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
35 Configure CSP without nonce
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
36
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
37 $ cat >> web.conf << EOF
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
38 > [web]
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
39 > csp = script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
40 > EOF
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
41
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
42 $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
43 $ cat hg.pid > $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
44
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
45 repo index should send Content-Security-Policy header when enabled
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
46
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
47 $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
48 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
49 content-security-policy: script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
50
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
51 static page should send CSP when enabled
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
52
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
53 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
54 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
55 content-security-policy: script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
56
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
57 repo page should send CSP by default, include etag w/o nonce
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
58
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
59 $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
60 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
61 content-security-policy: script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
62 etag: W/"*" (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
63
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
64 nonce should not be added to html if CSP doesn't use it
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
65
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
66 $ get-with-headers.py localhost:$HGPORT repo1/graph/tip | egrep 'content-security-policy|<script'
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
67 <script type="text/javascript" src="/repo1/static/mercurial.js"></script>
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
68 <!--[if IE]><script type="text/javascript" src="/repo1/static/excanvas.js"></script><![endif]-->
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
69 <script type="text/javascript">
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
70 <script type="text/javascript">
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
71
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
72 Configure CSP with nonce
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
73
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
74 $ killdaemons.py
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
75 $ cat >> web.conf << EOF
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
76 > csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
77 > EOF
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
78
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
79 $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
80 $ cat hg.pid > $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
81
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
82 nonce should be substituted in CSP header
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
83
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
84 $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
85 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
86 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
87
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
88 nonce should be included in CSP for static pages
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
89
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
90 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
91 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
92 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
93
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
94 repo page should have nonce, no ETag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
95
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
96 $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
97 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
98 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
99
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
100 nonce should be added to html when used
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
101
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
102 $ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy | egrep 'content-security-policy|<script'
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
103 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
104 <script type="text/javascript" src="/repo1/static/mercurial.js"></script>
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
105 <!--[if IE]><script type="text/javascript" src="/repo1/static/excanvas.js"></script><![endif]-->
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
106 <script type="text/javascript" nonce="*"> (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
107 <script type="text/javascript" nonce="*"> (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
108
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
109 hgweb_mod w/o hgwebdir works as expected
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
110
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
111 $ killdaemons.py
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
112
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
113 $ hg -R repo1 serve -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'"
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
114 $ cat hg.pid > $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
115
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
116 static page sends CSP
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
117
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
118 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
119 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
120 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
121
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
122 nonce included in <script> and headers
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
123
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
124 $ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy | egrep 'content-security-policy|<script'
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
125 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
126 <script type="text/javascript" src="/static/mercurial.js"></script>
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
127 <!--[if IE]><script type="text/javascript" src="/static/excanvas.js"></script><![endif]-->
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
128 <script type="text/javascript" nonce="*"> (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset
129 <script type="text/javascript" nonce="*"> (glob)