Mercurial > hg
annotate mercurial/templates/monoblue/graph.tmpl @ 30766:d7bf7d2bd5ab
hgweb: support Content Security Policy
Content-Security-Policy (CSP) is a web security feature that allows
servers to declare what loaded content is allowed to do. For example,
a policy can prevent loading of images, JavaScript, CSS, etc unless
the source of that content is whitelisted (by hostname, URI scheme,
hashes of content, etc). It's a nifty security feature that provides
extra mitigation against some attacks, notably XSS.
Mitigation against these attacks is important for Mercurial because
hgweb renders repository data, which is commonly untrusted. While we
make attempts to escape things, etc, there's the possibility that
malicious data could be injected into the site content. If this happens
today, the full power of the web browser is available to that
malicious content. A restrictive CSP policy (defined by the server
operator and sent in an HTTP header which is outside the control of
malicious content), could restrict browser capabilities and mitigate
security problems posed by malicious data.
CSP works by emitting an HTTP header declaring the policy that browsers
should apply. Ideally, this header would be emitted by a layer above
Mercurial (likely the HTTP server doing the WSGI "proxying"). This
works for some CSP policies, but not all.
For example, policies to allow inline JavaScript may require setting
a "nonce" attribute on <script>. This attribute value must be unique
and non-guessable. And, the value must be present in the HTTP header
and the HTML body. This means that coordinating the value between
Mercurial and another HTTP server could be difficult: it is much
easier to generate and emit the nonce in a central location.
This commit introduces support for emitting a
Content-Security-Policy header from hgweb. A config option defines
the header value. If present, the header is emitted. A special
"%nonce%" syntax in the value triggers generation of a nonce and
inclusion in <script> elements in templates. The inclusion of a
nonce does not occur unless "%nonce%" is present. This makes this
commit completely backwards compatible and the feature opt-in.
The nonce is a type 4 UUID, which is the flavor that is randomly
generated. It has 122 random bits, which should be plenty to satisfy
the guarantees of a nonce.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Tue, 10 Jan 2017 23:37:08 -0800 |
| parents | 91ac8cb79125 |
| children | 265196cd7d7f |
| rev | line source |
|---|---|
|
8430
8b47efdf40ee
monoblue: use newer template syntax everywhere
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8355
diff
changeset
|
1 {header} |
|
8b47efdf40ee
monoblue: use newer template syntax everywhere
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8355
diff
changeset
|
2 <title>{repo|escape}: graph</title> |
|
18526
9409aeaafdc1
hgweb: urlescape all urls, HTML escape repo/tag/branch/... names
Thomas Arendsen Hein <thomas@intevation.de>
parents:
18258
diff
changeset
|
3 <link rel="alternate" type="application/atom+xml" href="{url|urlescape}atom-log" title="Atom feed for {repo|escape}"/> |
|
9409aeaafdc1
hgweb: urlescape all urls, HTML escape repo/tag/branch/... names
Thomas Arendsen Hein <thomas@intevation.de>
parents:
18258
diff
changeset
|
4 <link rel="alternate" type="application/rss+xml" href="{url|urlescape}rss-log" title="RSS feed for {repo|escape}"/> |
|
9409aeaafdc1
hgweb: urlescape all urls, HTML escape repo/tag/branch/... names
Thomas Arendsen Hein <thomas@intevation.de>
parents:
18258
diff
changeset
|
5 <!--[if IE]><script type="text/javascript" src="{staticurl|urlescape}excanvas.js"></script><![endif]--> |
| 7111 | 6 </head> |
| 7 | |
| 8 <body> | |
| 9 <div id="container"> | |
| 10 <div class="page-header"> | |
|
18258
bebb05a7e249
hgweb: add a "URL breadcrumb" to the index and repository pages
Angel Ezquerra <angel.ezquerra at gmail.com>
parents:
17580
diff
changeset
|
11 <h1 class="breadcrumb"><a href="/">Mercurial</a> {pathdef%breadcrumb} / graph</h1> |
| 7111 | 12 |
|
18526
9409aeaafdc1
hgweb: urlescape all urls, HTML escape repo/tag/branch/... names
Thomas Arendsen Hein <thomas@intevation.de>
parents:
18258
diff
changeset
|
13 <form action="{url|urlescape}log"> |
| 7111 | 14 {sessionvars%hiddenformentry} |
| 15 <dl class="search"> | |
| 16 <dt><label>Search: </label></dt> | |
| 17 <dd><input type="text" name="rev" /></dd> | |
| 18 </dl> | |
| 19 </form> | |
| 20 | |
| 21 <ul class="page-nav"> | |
|
18526
9409aeaafdc1
hgweb: urlescape all urls, HTML escape repo/tag/branch/... names
Thomas Arendsen Hein <thomas@intevation.de>
parents:
18258
diff
changeset
|
22 <li><a href="{url|urlescape}summary{sessionvars%urlparameter}">summary</a></li> |
|
9409aeaafdc1
hgweb: urlescape all urls, HTML escape repo/tag/branch/... names
Thomas Arendsen Hein <thomas@intevation.de>
parents:
18258
diff
changeset
|
23 <li><a href="{url|urlescape}shortlog{sessionvars%urlparameter}">shortlog</a></li> |
|
9409aeaafdc1
hgweb: urlescape all urls, HTML escape repo/tag/branch/... names
Thomas Arendsen Hein <thomas@intevation.de>
parents:
18258
diff
changeset
|
24 <li><a href="{url|urlescape}changelog{sessionvars%urlparameter}">changelog</a></li> |
| 7111 | 25 <li class="current">graph</li> |
|
18526
9409aeaafdc1
hgweb: urlescape all urls, HTML escape repo/tag/branch/... names
Thomas Arendsen Hein <thomas@intevation.de>
parents:
18258
diff
changeset
|
26 <li><a href="{url|urlescape}tags{sessionvars%urlparameter}">tags</a></li> |
|
9409aeaafdc1
hgweb: urlescape all urls, HTML escape repo/tag/branch/... names
Thomas Arendsen Hein <thomas@intevation.de>
parents:
18258
diff
changeset
|
27 <li><a href="{url|urlescape}bookmarks{sessionvars%urlparameter}">bookmarks</a></li> |
|
9409aeaafdc1
hgweb: urlescape all urls, HTML escape repo/tag/branch/... names
Thomas Arendsen Hein <thomas@intevation.de>
parents:
18258
diff
changeset
|
28 <li><a href="{url|urlescape}branches{sessionvars%urlparameter}">branches</a></li> |
|
25604
0cdcbc477cac
hgweb: don't dereference symbolic revision in monoblue style
Anton Shestakov <av6@dwimlabs.net>
parents:
24129
diff
changeset
|
29 <li><a href="{url|urlescape}file/{symrev}{sessionvars%urlparameter}">files</a></li> |
|
24129
3fc86f1c39d8
hgweb: don't mix tabs and spaces in monoblue templates
Anton Shestakov <engored@ya.ru>
parents:
20255
diff
changeset
|
30 <li><a href="{url|urlescape}help{sessionvars%urlparameter}">help</a></li> |
| 7111 | 31 </ul> |
| 32 </div> | |
| 33 | |
| 34 <h2 class="no-link no-border">graph</h2> | |
| 35 | |
| 36 <div id="noscript">The revision graph only works with JavaScript-enabled browsers.</div> | |
| 37 <div id="wrapper"> | |
| 38 <ul id="nodebgs"></ul> | |
|
27913
91ac8cb79125
templates: use canvaswidth instead of fixed width for canvas (issue2683)
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
25604
diff
changeset
|
39 <canvas id="graph" width="{canvaswidth}" height="{canvasheight}"></canvas> |
| 7111 | 40 <ul id="graphnodes"></ul> |
| 41 </div> | |
| 42 | |
|
30766
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27913
diff
changeset
|
43 <script{if(nonce, ' nonce="{nonce}"')}> |
| 7111 | 44 <!-- hide script content |
| 45 | |
| 46 document.getElementById('noscript').style.display = 'none'; | |
| 47 | |
| 48 var data = {jsdata|json}; | |
| 49 var graph = new Graph(); | |
| 50 graph.scale({bg_height}); | |
| 51 | |
|
10856
b07bd417115b
templates: escape javascript braces
Matt Mackall <mpm@selenic.com>
parents:
10575
diff
changeset
|
52 graph.vertex = function(x, y, color, parity, cur) \{ |
| 7111 | 53 |
| 54 this.ctx.beginPath(); | |
| 55 color = this.setColor(color, 0.25, 0.75); | |
| 56 this.ctx.arc(x, y, radius, 0, Math.PI * 2, true); | |
| 57 this.ctx.fill(); | |
| 58 | |
| 59 var bg = '<li class="bg parity' + parity + '"></li>'; | |
|
17580
ffe3630cb243
hgweb: fix incorrect graph padding calculation (issue3626)
Tim Delaney <timothy.c.delaney@gmail.com>
parents:
17421
diff
changeset
|
60 var left = (this.bg_height - this.box_size) + (this.columns + 1) * this.box_size; |
| 7111 | 61 var nstyle = 'padding-left: ' + left + 'px;'; |
| 62 | |
|
7408
f031a12dfc31
coal/paper/monoblue: show branch names in hgweb graph
Benoit Allard <benoit@aeteurope.nl>
parents:
7111
diff
changeset
|
63 var tagspan = ''; |
|
13794
5c18a0bca26f
hgweb: add bookmark labels to monoblue theme (based on 270f57d35525)
Yuya Nishihara <yuya@tcha.org>
parents:
13610
diff
changeset
|
64 if (cur[7].length || cur[8].length || (cur[6][0] != 'default' || cur[6][1])) \{ |
|
7408
f031a12dfc31
coal/paper/monoblue: show branch names in hgweb graph
Benoit Allard <benoit@aeteurope.nl>
parents:
7111
diff
changeset
|
65 tagspan = '<span class="logtags">'; |
|
10856
b07bd417115b
templates: escape javascript braces
Matt Mackall <mpm@selenic.com>
parents:
10575
diff
changeset
|
66 if (cur[6][1]) \{ |
|
7408
f031a12dfc31
coal/paper/monoblue: show branch names in hgweb graph
Benoit Allard <benoit@aeteurope.nl>
parents:
7111
diff
changeset
|
67 tagspan += '<span class="branchtag" title="' + cur[6][0] + '">'; |
|
f031a12dfc31
coal/paper/monoblue: show branch names in hgweb graph
Benoit Allard <benoit@aeteurope.nl>
parents:
7111
diff
changeset
|
68 tagspan += cur[6][0] + '</span> '; |
|
10856
b07bd417115b
templates: escape javascript braces
Matt Mackall <mpm@selenic.com>
parents:
10575
diff
changeset
|
69 } else if (!cur[6][1] && cur[6][0] != 'default') \{ |
|
7408
f031a12dfc31
coal/paper/monoblue: show branch names in hgweb graph
Benoit Allard <benoit@aeteurope.nl>
parents:
7111
diff
changeset
|
70 tagspan += '<span class="inbranchtag" title="' + cur[6][0] + '">'; |
|
f031a12dfc31
coal/paper/monoblue: show branch names in hgweb graph
Benoit Allard <benoit@aeteurope.nl>
parents:
7111
diff
changeset
|
71 tagspan += cur[6][0] + '</span> '; |
|
f031a12dfc31
coal/paper/monoblue: show branch names in hgweb graph
Benoit Allard <benoit@aeteurope.nl>
parents:
7111
diff
changeset
|
72 } |
|
10856
b07bd417115b
templates: escape javascript braces
Matt Mackall <mpm@selenic.com>
parents:
10575
diff
changeset
|
73 if (cur[7].length) \{ |
|
b07bd417115b
templates: escape javascript braces
Matt Mackall <mpm@selenic.com>
parents:
10575
diff
changeset
|
74 for (var t in cur[7]) \{ |
|
7408
f031a12dfc31
coal/paper/monoblue: show branch names in hgweb graph
Benoit Allard <benoit@aeteurope.nl>
parents:
7111
diff
changeset
|
75 var tag = cur[7][t]; |
|
f031a12dfc31
coal/paper/monoblue: show branch names in hgweb graph
Benoit Allard <benoit@aeteurope.nl>
parents:
7111
diff
changeset
|
76 tagspan += '<span class="tagtag">' + tag + '</span> '; |
|
f031a12dfc31
coal/paper/monoblue: show branch names in hgweb graph
Benoit Allard <benoit@aeteurope.nl>
parents:
7111
diff
changeset
|
77 } |
|
f031a12dfc31
coal/paper/monoblue: show branch names in hgweb graph
Benoit Allard <benoit@aeteurope.nl>
parents:
7111
diff
changeset
|
78 } |
|
13794
5c18a0bca26f
hgweb: add bookmark labels to monoblue theme (based on 270f57d35525)
Yuya Nishihara <yuya@tcha.org>
parents:
13610
diff
changeset
|
79 if (cur[8].length) \{ |
|
5c18a0bca26f
hgweb: add bookmark labels to monoblue theme (based on 270f57d35525)
Yuya Nishihara <yuya@tcha.org>
parents:
13610
diff
changeset
|
80 for (var t in cur[8]) \{ |
|
5c18a0bca26f
hgweb: add bookmark labels to monoblue theme (based on 270f57d35525)
Yuya Nishihara <yuya@tcha.org>
parents:
13610
diff
changeset
|
81 var bookmark = cur[8][t]; |
|
5c18a0bca26f
hgweb: add bookmark labels to monoblue theme (based on 270f57d35525)
Yuya Nishihara <yuya@tcha.org>
parents:
13610
diff
changeset
|
82 tagspan += '<span class="bookmarktag">' + bookmark + '</span> '; |
|
5c18a0bca26f
hgweb: add bookmark labels to monoblue theme (based on 270f57d35525)
Yuya Nishihara <yuya@tcha.org>
parents:
13610
diff
changeset
|
83 } |
|
5c18a0bca26f
hgweb: add bookmark labels to monoblue theme (based on 270f57d35525)
Yuya Nishihara <yuya@tcha.org>
parents:
13610
diff
changeset
|
84 } |
|
7408
f031a12dfc31
coal/paper/monoblue: show branch names in hgweb graph
Benoit Allard <benoit@aeteurope.nl>
parents:
7111
diff
changeset
|
85 tagspan += '</span>'; |
|
f031a12dfc31
coal/paper/monoblue: show branch names in hgweb graph
Benoit Allard <benoit@aeteurope.nl>
parents:
7111
diff
changeset
|
86 } |
|
f031a12dfc31
coal/paper/monoblue: show branch names in hgweb graph
Benoit Allard <benoit@aeteurope.nl>
parents:
7111
diff
changeset
|
87 |
|
17421
3eb85477c0d9
hgweb: avoid bad $$ processing in graph (issue3601)
Mads Kiilerich <mads@kiilerich.com>
parents:
16137
diff
changeset
|
88 var item = '<li style="' + nstyle + '"><span class="desc">'; |
|
18526
9409aeaafdc1
hgweb: urlescape all urls, HTML escape repo/tag/branch/... names
Thomas Arendsen Hein <thomas@intevation.de>
parents:
18258
diff
changeset
|
89 item += '<a href="{url|urlescape}rev/' + cur[0] + '{sessionvars%urlparameter}" title="' + cur[0] + '">' + cur[3] + '</a>'; |
|
17421
3eb85477c0d9
hgweb: avoid bad $$ processing in graph (issue3601)
Mads Kiilerich <mads@kiilerich.com>
parents:
16137
diff
changeset
|
90 item += '</span>' + tagspan + '<span class="info">' + cur[5] + ', by ' + cur[4] + '</span></li>'; |
|
3eb85477c0d9
hgweb: avoid bad $$ processing in graph (issue3601)
Mads Kiilerich <mads@kiilerich.com>
parents:
16137
diff
changeset
|
91 |
| 7111 | 92 return [bg, item]; |
| 93 | |
| 94 } | |
| 95 | |
| 96 graph.render(data); | |
| 97 | |
| 98 // stop hiding script --> | |
| 99 </script> | |
| 100 | |
| 101 <div class="page-path"> | |
|
25604
0cdcbc477cac
hgweb: don't dereference symbolic revision in monoblue style
Anton Shestakov <av6@dwimlabs.net>
parents:
24129
diff
changeset
|
102 <a href="{url|urlescape}graph/{symrev}{lessvars%urlparameter}">less</a> |
|
0cdcbc477cac
hgweb: don't dereference symbolic revision in monoblue style
Anton Shestakov <av6@dwimlabs.net>
parents:
24129
diff
changeset
|
103 <a href="{url|urlescape}graph/{symrev}{morevars%urlparameter}">more</a> |
|
10254
8d5de52431f2
hgweb: changenav: separate pages before and after the current position
Nicolas Dumazet <nicdumz.commits@gmail.com>
parents:
9999
diff
changeset
|
104 | {changenav%navgraph} |
| 7111 | 105 </div> |
| 106 | |
|
30766
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27913
diff
changeset
|
107 <script type="text/javascript"{if(nonce, ' nonce="{nonce}"')}> |
|
20255
b1d65cb8c759
hgweb: infinite scroll support for monoblue style
Takumi IINO <trot.thunder@gmail.com>
parents:
18526
diff
changeset
|
108 ajaxScrollInit( |
|
b1d65cb8c759
hgweb: infinite scroll support for monoblue style
Takumi IINO <trot.thunder@gmail.com>
parents:
18526
diff
changeset
|
109 '{url|urlescape}graph/{rev}?revcount=%next%&style={style}', |
|
b1d65cb8c759
hgweb: infinite scroll support for monoblue style
Takumi IINO <trot.thunder@gmail.com>
parents:
18526
diff
changeset
|
110 {revcount}+60, |
|
b1d65cb8c759
hgweb: infinite scroll support for monoblue style
Takumi IINO <trot.thunder@gmail.com>
parents:
18526
diff
changeset
|
111 function (htmlText, previousVal) \{ return previousVal + 60; }, |
|
b1d65cb8c759
hgweb: infinite scroll support for monoblue style
Takumi IINO <trot.thunder@gmail.com>
parents:
18526
diff
changeset
|
112 '#wrapper', |
|
b1d65cb8c759
hgweb: infinite scroll support for monoblue style
Takumi IINO <trot.thunder@gmail.com>
parents:
18526
diff
changeset
|
113 '<div class="%class%" style="text-align: center;">%text%</div>', |
|
b1d65cb8c759
hgweb: infinite scroll support for monoblue style
Takumi IINO <trot.thunder@gmail.com>
parents:
18526
diff
changeset
|
114 'graph' |
|
b1d65cb8c759
hgweb: infinite scroll support for monoblue style
Takumi IINO <trot.thunder@gmail.com>
parents:
18526
diff
changeset
|
115 ); |
|
b1d65cb8c759
hgweb: infinite scroll support for monoblue style
Takumi IINO <trot.thunder@gmail.com>
parents:
18526
diff
changeset
|
116 </script> |
|
b1d65cb8c759
hgweb: infinite scroll support for monoblue style
Takumi IINO <trot.thunder@gmail.com>
parents:
18526
diff
changeset
|
117 |
|
8430
8b47efdf40ee
monoblue: use newer template syntax everywhere
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8355
diff
changeset
|
118 {footer} |