Mercurial: tests/test-hgweb-csp.t annotate

annotate tests/test-hgweb-csp.t @ 35806:ab239e3de23b stable

tests: add a pattern to fix --pure tests Test Plan: ran all tests with and without --pure, everything passed on gcc112. Differential Revision: https://phab.mercurial-scm.org/D1946

author	Augie Fackler <augie@google.com>
date	Sat, 27 Jan 2018 21:50:04 -0500
parents	45a816361926
children	d105bbb74658

rev	line source
30766 d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	1 #require serve
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	2
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	3 $ cat > web.conf << EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	4 > [paths]
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	5 > / = $TESTTMP/*
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	6 > EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	7
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	8 $ hg init repo1
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	9 $ cd repo1
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	10 $ touch foo
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	11 $ hg -q commit -A -m initial
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	12 $ cd ..
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	13
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	14 $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	15 $ cat hg.pid >> $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	16
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	17 repo index should not send Content-Security-Policy header by default
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	18
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	19 $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	20 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	21
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	22 static page should not send CSP by default
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	23
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	24 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	25 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	26
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	27 repo page should not send CSP by default, should send ETag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	28
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	29 $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	30 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	31 etag: W/"*" (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	32
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	33 $ killdaemons.py
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	34
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	35 Configure CSP without nonce
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	36
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	37 $ cat >> web.conf << EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	38 > [web]
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	39 > csp = script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	40 > EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	41
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	42 $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	43 $ cat hg.pid > $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	44
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	45 repo index should send Content-Security-Policy header when enabled
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	46
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	47 $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	48 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	49 content-security-policy: script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	50
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	51 static page should send CSP when enabled
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	52
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	53 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	54 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	55 content-security-policy: script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	56
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	57 repo page should send CSP by default, include etag w/o nonce
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	58
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	59 $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	60 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	61 content-security-policy: script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	62 etag: W/"*" (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	63
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	64 nonce should not be added to html if CSP doesn't use it
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	65
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	66 $ get-with-headers.py localhost:$HGPORT repo1/graph/tip \| egrep 'content-security-policy\|<script'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	67 <script type="text/javascript" src="/repo1/static/mercurial.js"></script>
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	68 <script type="text/javascript">
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	69 <script type="text/javascript">
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	70
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	71 Configure CSP with nonce
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	72
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	73 $ killdaemons.py
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	74 $ cat >> web.conf << EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	75 > csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	76 > EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	77
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	78 $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	79 $ cat hg.pid > $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	80
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	81 nonce should be substituted in CSP header
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	82
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	83 $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	84 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	85 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	86
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	87 nonce should be included in CSP for static pages
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	88
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	89 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	90 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	91 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	92
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	93 repo page should have nonce, no ETag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	94
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	95 $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	96 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	97 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	98
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	99 nonce should be added to html when used
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	100
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	101 $ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy \| egrep 'content-security-policy\|<script'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	102 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	103 <script type="text/javascript" src="/repo1/static/mercurial.js"></script>
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	104 <script type="text/javascript" nonce="*"> (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	105 <script type="text/javascript" nonce="*"> (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	106
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	107 hgweb_mod w/o hgwebdir works as expected
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	108
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	109 $ killdaemons.py
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	110
34483 a6d95a8b7243 serve: make tests compatible with chg Saurabh Singh <singhsrb@fb.com> parents: 30766 diff changeset	111 $ hg serve -R repo1 -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'"
30766 d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	112 $ cat hg.pid > $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	113
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	114 static page sends CSP
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	115
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	116 $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	117 200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	118 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	119
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	120 nonce included in <script> and headers
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	121
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	122 $ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy \| egrep 'content-security-policy\|<script'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	123 content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	124 <script type="text/javascript" src="/static/mercurial.js"></script>
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	125 <script type="text/javascript" nonce="*"> (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	126 <script type="text/javascript" nonce="*"> (glob)

Mercurial > hg

annotate tests/test-hgweb-csp.t @ 35806:ab239e3de23b stable