Mercurial > hg
annotate tests/test-newcgi.t @ 30766:d7bf7d2bd5ab
hgweb: support Content Security Policy
Content-Security-Policy (CSP) is a web security feature that allows
servers to declare what loaded content is allowed to do. For example,
a policy can prevent loading of images, JavaScript, CSS, etc unless
the source of that content is whitelisted (by hostname, URI scheme,
hashes of content, etc). It's a nifty security feature that provides
extra mitigation against some attacks, notably XSS.
Mitigation against these attacks is important for Mercurial because
hgweb renders repository data, which is commonly untrusted. While we
make attempts to escape things, etc, there's the possibility that
malicious data could be injected into the site content. If this happens
today, the full power of the web browser is available to that
malicious content. A restrictive CSP policy (defined by the server
operator and sent in an HTTP header which is outside the control of
malicious content), could restrict browser capabilities and mitigate
security problems posed by malicious data.
CSP works by emitting an HTTP header declaring the policy that browsers
should apply. Ideally, this header would be emitted by a layer above
Mercurial (likely the HTTP server doing the WSGI "proxying"). This
works for some CSP policies, but not all.
For example, policies to allow inline JavaScript may require setting
a "nonce" attribute on <script>. This attribute value must be unique
and non-guessable. And, the value must be present in the HTTP header
and the HTML body. This means that coordinating the value between
Mercurial and another HTTP server could be difficult: it is much
easier to generate and emit the nonce in a central location.
This commit introduces support for emitting a
Content-Security-Policy header from hgweb. A config option defines
the header value. If present, the header is emitted. A special
"%nonce%" syntax in the value triggers generation of a nonce and
inclusion in <script> elements in templates. The inclusion of a
nonce does not occur unless "%nonce%" is present. This makes this
commit completely backwards compatible and the feature opt-in.
The nonce is a type 4 UUID, which is the flavor that is randomly
generated. It has 122 random bits, which should be plenty to satisfy
the guarantees of a nonce.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Tue, 10 Jan 2017 23:37:08 -0800 |
| parents | 7a9cbb315d84 |
| children | b6776b34e44e |
| rev | line source |
|---|---|
|
22046
7a9cbb315d84
tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents:
15567
diff
changeset
|
1 #require no-msys # MSYS will translate web paths as if they were file paths |
|
15567
8b84d040d9f9
tests: introduce 'hghave msys' to skip tests that would fail because of msys
Mads Kiilerich <mads@kiilerich.com>
parents:
13269
diff
changeset
|
2 |
| 12470 | 3 This tests if CGI files from after d0db3462d568 but |
| 4 before d74fc8dec2b4 still work. | |
|
5577
e0173902c813
CGI compatibility fix for d74fc8dec2b4.
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
diff
changeset
|
5 |
| 12470 | 6 $ hg init test |
| 7 $ cat >hgweb.cgi <<HGWEB | |
| 8 > #!/usr/bin/env python | |
| 9 > # | |
| 10 > # An example CGI script to use hgweb, edit as necessary | |
| 11 > | |
| 12 > import cgitb | |
| 13 > cgitb.enable() | |
| 14 > | |
| 15 > from mercurial import demandimport; demandimport.enable() | |
| 16 > from mercurial.hgweb import hgweb | |
| 17 > from mercurial.hgweb import wsgicgi | |
| 18 > from mercurial.hgweb.request import wsgiapplication | |
| 19 > | |
| 20 > def make_web_app(): | |
|
12743
4c4aeaab2339
check-code: add 'no tab indent' check for unified tests
Adrian Buehlmann <adrian@cadifra.com>
parents:
12470
diff
changeset
|
21 > return hgweb("test", "Empty test repository") |
| 12470 | 22 > |
| 23 > wsgicgi.launch(wsgiapplication(make_web_app)) | |
| 24 > HGWEB | |
|
5577
e0173902c813
CGI compatibility fix for d74fc8dec2b4.
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
diff
changeset
|
25 |
| 12470 | 26 $ chmod 755 hgweb.cgi |
|
5577
e0173902c813
CGI compatibility fix for d74fc8dec2b4.
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
diff
changeset
|
27 |
| 12470 | 28 $ cat >hgweb.config <<HGWEBDIRCONF |
| 29 > [paths] | |
| 30 > test = test | |
| 31 > HGWEBDIRCONF | |
|
5577
e0173902c813
CGI compatibility fix for d74fc8dec2b4.
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
diff
changeset
|
32 |
| 12470 | 33 $ cat >hgwebdir.cgi <<HGWEBDIR |
| 34 > #!/usr/bin/env python | |
| 35 > # | |
| 36 > # An example CGI script to export multiple hgweb repos, edit as necessary | |
| 37 > | |
| 38 > import cgitb | |
| 39 > cgitb.enable() | |
| 40 > | |
| 41 > from mercurial import demandimport; demandimport.enable() | |
| 42 > from mercurial.hgweb import hgwebdir | |
| 43 > from mercurial.hgweb import wsgicgi | |
| 44 > from mercurial.hgweb.request import wsgiapplication | |
| 45 > | |
| 46 > def make_web_app(): | |
|
12743
4c4aeaab2339
check-code: add 'no tab indent' check for unified tests
Adrian Buehlmann <adrian@cadifra.com>
parents:
12470
diff
changeset
|
47 > return hgwebdir("hgweb.config") |
| 12470 | 48 > |
| 49 > wsgicgi.launch(wsgiapplication(make_web_app)) | |
| 50 > HGWEBDIR | |
|
5577
e0173902c813
CGI compatibility fix for d74fc8dec2b4.
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
diff
changeset
|
51 |
| 12470 | 52 $ chmod 755 hgwebdir.cgi |
|
5577
e0173902c813
CGI compatibility fix for d74fc8dec2b4.
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
diff
changeset
|
53 |
|
13269
aa3f726a2bdb
tests: remove duplication of the CGI environment variables
StevenGBrown
parents:
12743
diff
changeset
|
54 $ . "$TESTDIR/cgienv" |
| 12470 | 55 $ python hgweb.cgi > page1 |
| 56 $ python hgwebdir.cgi > page2 | |
| 57 | |
| 58 $ PATH_INFO="/test/" | |
| 59 $ PATH_TRANSLATED="/var/something/test.cgi" | |
| 60 $ REQUEST_URI="/test/test/" | |
| 61 $ SCRIPT_URI="http://hg.omnifarious.org/test/test/" | |
| 62 $ SCRIPT_URL="/test/test/" | |
| 63 $ python hgwebdir.cgi > page3 | |
| 64 | |
| 65 $ grep -i error page1 page2 page3 | |
| 66 [1] |