author | Pierre-Yves David <pierre-yves.david@octobus.net> |
Sat, 16 Jan 2021 02:18:55 +0100 | |
changeset 46397 | f213b250fed0 |
parent 37828 | 3e3acf5d6a07 |
child 50725 | 7e5be4a7cda7 |
permissions | -rw-r--r-- |
30766
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
1 |
#require serve |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
2 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
3 |
$ cat > web.conf << EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
4 |
> [paths] |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
5 |
> / = $TESTTMP/* |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
6 |
> EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
7 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
8 |
$ hg init repo1 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
9 |
$ cd repo1 |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
10 |
$ touch foo |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
11 |
$ hg -q commit -A -m initial |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
12 |
$ cd .. |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
13 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
14 |
$ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
15 |
$ cat hg.pid >> $DAEMON_PIDS |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
16 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
17 |
repo index should not send Content-Security-Policy header by default |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
18 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
19 |
$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
20 |
200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
21 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
22 |
static page should not send CSP by default |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
23 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
24 |
$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
25 |
200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
26 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
27 |
repo page should not send CSP by default, should send ETag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
28 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
29 |
$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
30 |
200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
31 |
etag: W/"*" (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
32 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
33 |
$ killdaemons.py |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
34 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
35 |
Configure CSP without nonce |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
36 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
37 |
$ cat >> web.conf << EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
38 |
> [web] |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
39 |
> csp = script-src https://example.com/ 'unsafe-inline' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
40 |
> EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
41 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
42 |
$ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
43 |
$ cat hg.pid > $DAEMON_PIDS |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
44 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
45 |
repo index should send Content-Security-Policy header when enabled |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
46 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
47 |
$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
48 |
200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
49 |
content-security-policy: script-src https://example.com/ 'unsafe-inline' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
50 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
51 |
static page should send CSP when enabled |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
52 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
53 |
$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
54 |
200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
55 |
content-security-policy: script-src https://example.com/ 'unsafe-inline' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
56 |
|
37826
d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
Gregory Szorc <gregory.szorc@gmail.com>
parents:
35605
diff
changeset
|
57 |
$ get-with-headers.py --twice --headeronly localhost:$HGPORT repo1/static/style.css content-security-policy |
d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
Gregory Szorc <gregory.szorc@gmail.com>
parents:
35605
diff
changeset
|
58 |
200 Script output follows |
d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
Gregory Szorc <gregory.szorc@gmail.com>
parents:
35605
diff
changeset
|
59 |
content-security-policy: script-src https://example.com/ 'unsafe-inline' |
37828
3e3acf5d6a07
hgweb: allow Content-Security-Policy header on 304 responses (issue5844)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
37826
diff
changeset
|
60 |
304 Not Modified |
3e3acf5d6a07
hgweb: allow Content-Security-Policy header on 304 responses (issue5844)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
37826
diff
changeset
|
61 |
content-security-policy: script-src https://example.com/ 'unsafe-inline' |
37826
d105bbb74658
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
Gregory Szorc <gregory.szorc@gmail.com>
parents:
35605
diff
changeset
|
62 |
|
30766
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
63 |
repo page should send CSP by default, include etag w/o nonce |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
64 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
65 |
$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
66 |
200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
67 |
content-security-policy: script-src https://example.com/ 'unsafe-inline' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
68 |
etag: W/"*" (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
69 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
70 |
nonce should not be added to html if CSP doesn't use it |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
71 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
72 |
$ get-with-headers.py localhost:$HGPORT repo1/graph/tip | egrep 'content-security-policy|<script' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
73 |
<script type="text/javascript" src="/repo1/static/mercurial.js"></script> |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
74 |
<script type="text/javascript"> |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
75 |
<script type="text/javascript"> |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
76 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
77 |
Configure CSP with nonce |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
78 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
79 |
$ killdaemons.py |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
80 |
$ cat >> web.conf << EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
81 |
> csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
82 |
> EOF |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
83 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
84 |
$ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
85 |
$ cat hg.pid > $DAEMON_PIDS |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
86 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
87 |
nonce should be substituted in CSP header |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
88 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
89 |
$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
90 |
200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
91 |
content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
92 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
93 |
nonce should be included in CSP for static pages |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
94 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
95 |
$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
96 |
200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
97 |
content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
98 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
99 |
repo page should have nonce, no ETag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
100 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
101 |
$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
102 |
200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
103 |
content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
104 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
105 |
nonce should be added to html when used |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
106 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
107 |
$ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy | egrep 'content-security-policy|<script' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
108 |
content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
109 |
<script type="text/javascript" src="/repo1/static/mercurial.js"></script> |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
110 |
<script type="text/javascript" nonce="*"> (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
111 |
<script type="text/javascript" nonce="*"> (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
112 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
113 |
hgweb_mod w/o hgwebdir works as expected |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
114 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
115 |
$ killdaemons.py |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
116 |
|
34483
a6d95a8b7243
serve: make tests compatible with chg
Saurabh Singh <singhsrb@fb.com>
parents:
30766
diff
changeset
|
117 |
$ hg serve -R repo1 -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'" |
30766
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
118 |
$ cat hg.pid > $DAEMON_PIDS |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
119 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
120 |
static page sends CSP |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
121 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
122 |
$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
123 |
200 Script output follows |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
124 |
content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
125 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
126 |
nonce included in <script> and headers |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
127 |
|
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
128 |
$ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy | egrep 'content-security-policy|<script' |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
129 |
content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
130 |
<script type="text/javascript" src="/static/mercurial.js"></script> |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
131 |
<script type="text/javascript" nonce="*"> (glob) |
d7bf7d2bd5ab
hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff
changeset
|
132 |
<script type="text/javascript" nonce="*"> (glob) |