Mercurial Mercurial > hg / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
tests/test-hgweb-csp.t
author Gregory Szorc <gregory.szorc@gmail.com>
Tue, 03 Apr 2018 18:15:24 -0700
changeset 37338 cbc4425e81b5
parent 35605 45a816361926
child 37826 d105bbb74658
permissions -rw-r--r--
tests: conditionalize tests based on presence of revlogs for files ~85 tests don't like our non-revlog file store for various reasons. This commit introduces hghave functionality for declaring and querying repository features. By default, we assume repositories have revlog-based file storage. But if the HGREPOFEATURES environment variable is set, we can override the default set of repository features. If you run the test harness with our simplestorerepo extension and an environment variable set to the proper value, you can override the hghave defaults to agree with simplestorerepo's version of reality. Various tests have been modified so behavior dependent on revlog-based file storage is marked as such. This fixes a handful of test failures with our custom file storage extension. But dozens remain. The point of this commit is to demonstrate how tests will need to be modified to account for custom storage implementations. TBH, I'm not convinced hghave is the proper layer for repository feature detection. I /think/ we'll eventually want something in run-tests.py itself. But that would require inventing a new primitive in the test harness. This is all very alpha at the moment. So I think hghave is an acceptable place to hang this feature detection. I think the right time to be thinking about integrating this into run-tests.py is *after* we have a stable alternate storage implementation in core. For now, let's try to make progress towards the idea of an alternate storage backend. Differential Revision: https://phab.mercurial-scm.org/D3030
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
30766
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset 
     1
 
#require serve
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset 
     2
 












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     3


  $ cat > web.conf << EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     4


  > [paths]













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     5


  > / = $TESTTMP/*













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     6


  > EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     7














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     8


  $ hg init repo1













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     9


  $ cd repo1













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    10


  $ touch foo













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    11


  $ hg -q commit -A -m initial













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    12


  $ cd ..













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    13














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    14


  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    15


  $ cat hg.pid >> $DAEMON_PIDS













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    16














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    17


repo index should not send Content-Security-Policy header by default













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    18














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    19


  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    20


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    21














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    22


static page should not send CSP by default













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    23














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    24


  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    25


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    26














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    27


repo page should not send CSP by default, should send ETag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    28














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    29


  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    30


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    31


  etag: W/"*" (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    32














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    33


  $ killdaemons.py













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    34














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    35


Configure CSP without nonce













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    36














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    37


  $ cat >> web.conf << EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    38


  > [web]













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    39


  > csp = script-src https://example.com/ 'unsafe-inline'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    40


  > EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    41














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    42


  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    43


  $ cat hg.pid > $DAEMON_PIDS













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    44














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    45


repo index should send Content-Security-Policy header when enabled













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    46














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    47


  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    48


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    49


  content-security-policy: script-src https://example.com/ 'unsafe-inline'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    50














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    51


static page should send CSP when enabled













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    52














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    53


  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    54


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    55


  content-security-policy: script-src https://example.com/ 'unsafe-inline'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    56














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    57


repo page should send CSP by default, include etag w/o nonce













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    58














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    59


  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    60


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    61


  content-security-policy: script-src https://example.com/ 'unsafe-inline'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    62


  etag: W/"*" (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    63














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    64


nonce should not be added to html if CSP doesn't use it













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    65














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    66


  $ get-with-headers.py localhost:$HGPORT repo1/graph/tip | egrep 'content-security-policy|<script'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    67


  <script type="text/javascript" src="/repo1/static/mercurial.js"></script>













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    68


  <script type="text/javascript">













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    69


  <script type="text/javascript">













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    70














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    71


Configure CSP with nonce













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    72














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    73


  $ killdaemons.py













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    74


  $ cat >> web.conf << EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    75


  > csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    76


  > EOF













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    77














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    78


  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    79


  $ cat hg.pid > $DAEMON_PIDS













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    80














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    81


nonce should be substituted in CSP header













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    82














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    83


  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    84


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    85


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    86














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    87


nonce should be included in CSP for static pages













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    88














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    89


  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    90


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    91


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    92














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    93


repo page should have nonce, no ETag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    94














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    95


  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    96


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    97


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    98














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    99


nonce should be added to html when used













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   100














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   101


  $ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy | egrep 'content-security-policy|<script'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   102


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   103


  <script type="text/javascript" src="/repo1/static/mercurial.js"></script>













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   104


  <script type="text/javascript" nonce="*"> (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   105


  <script type="text/javascript" nonce="*"> (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   106














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   107


hgweb_mod w/o hgwebdir works as expected













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   108














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   109


  $ killdaemons.py













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   110









34483






a6d95a8b7243
serve: make tests compatible with chg



Saurabh Singh <singhsrb@fb.com>


parents: 
30766

diff
changeset




   111


  $ hg serve -R repo1 -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'"








30766






d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   112


  $ cat hg.pid > $DAEMON_PIDS













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   113














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   114


static page sends CSP













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   115














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   116


  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   117


  200 Script output follows













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   118


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   119














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   120


nonce included in <script> and headers













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   121














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   122


  $ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy  | egrep 'content-security-policy|<script'













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   123


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   124


  <script type="text/javascript" src="/static/mercurial.js"></script>













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   125


  <script type="text/javascript" nonce="*"> (glob)













d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   126


  <script type="text/javascript" nonce="*"> (glob)















Mercurial