Mercurial > hg
view tests/test-hgweb-csp.t @ 46492:7289eac777ec stable
hooks: introduce a `:run-with-plain` option for hooks
This option control if HGPLAIN should be set or not for the hooks. This is the
first step to give user some control of the HGPLAIN setting for they hooks.
Some hooks (eg: consistency checking) deserve to be run with HGPLAIN, some other
(eg: user set visual helper) might need to respect the user config and setting.
So both usage are valid and we need to restore the ability to run -without-
HGPLAIN that got lost in Mercurial 5.7.
This does not offer a way to restore the pre-5.7 behavior yet (respect whatever
HGPLAIN setting from the shell), this will be dealt with in the next changeset.
The option name is a bit verbose because implementing this highlighs the need
for another option: `:run-if-plain`. That would make it possible for some hooks
to be easily disabled if HG PLAIN is set. However such option would be a new
feature, not something introduced to mitigate a behavior change introduced in
5.7, so the `:run-if-plain` option belong to the default branch and is not part
of this series.
Differential Revision: https://phab.mercurial-scm.org/D9981
| author | Pierre-Yves David <pierre-yves.david@octobus.net> |
|---|---|
| date | Wed, 10 Feb 2021 23:21:21 +0100 |
| parents | 3e3acf5d6a07 |
| children | 7e5be4a7cda7 |
line wrap: on
line source
#require serve $ cat > web.conf << EOF > [paths] > / = $TESTTMP/* > EOF $ hg init repo1 $ cd repo1 $ touch foo $ hg -q commit -A -m initial $ cd .. $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf $ cat hg.pid >> $DAEMON_PIDS repo index should not send Content-Security-Policy header by default $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag 200 Script output follows static page should not send CSP by default $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag 200 Script output follows repo page should not send CSP by default, should send ETag $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag 200 Script output follows etag: W/"*" (glob) $ killdaemons.py Configure CSP without nonce $ cat >> web.conf << EOF > [web] > csp = script-src https://example.com/ 'unsafe-inline' > EOF $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf $ cat hg.pid > $DAEMON_PIDS repo index should send Content-Security-Policy header when enabled $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag 200 Script output follows content-security-policy: script-src https://example.com/ 'unsafe-inline' static page should send CSP when enabled $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag 200 Script output follows content-security-policy: script-src https://example.com/ 'unsafe-inline' $ get-with-headers.py --twice --headeronly localhost:$HGPORT repo1/static/style.css content-security-policy 200 Script output follows content-security-policy: script-src https://example.com/ 'unsafe-inline' 304 Not Modified content-security-policy: script-src https://example.com/ 'unsafe-inline' repo page should send CSP by default, include etag w/o nonce $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag 200 Script output follows content-security-policy: script-src https://example.com/ 'unsafe-inline' etag: W/"*" (glob) nonce should not be added to html if CSP doesn't use it $ get-with-headers.py localhost:$HGPORT repo1/graph/tip | egrep 'content-security-policy|<script' <script type="text/javascript" src="/repo1/static/mercurial.js"></script> <script type="text/javascript"> <script type="text/javascript"> Configure CSP with nonce $ killdaemons.py $ cat >> web.conf << EOF > csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%' > EOF $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf $ cat hg.pid > $DAEMON_PIDS nonce should be substituted in CSP header $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag 200 Script output follows content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) nonce should be included in CSP for static pages $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag 200 Script output follows content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) repo page should have nonce, no ETag $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag 200 Script output follows content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) nonce should be added to html when used $ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy | egrep 'content-security-policy|<script' content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) <script type="text/javascript" src="/repo1/static/mercurial.js"></script> <script type="text/javascript" nonce="*"> (glob) <script type="text/javascript" nonce="*"> (glob) hgweb_mod w/o hgwebdir works as expected $ killdaemons.py $ hg serve -R repo1 -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'" $ cat hg.pid > $DAEMON_PIDS static page sends CSP $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag 200 Script output follows content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) nonce included in <script> and headers $ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy | egrep 'content-security-policy|<script' content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) <script type="text/javascript" src="/static/mercurial.js"></script> <script type="text/javascript" nonce="*"> (glob) <script type="text/javascript" nonce="*"> (glob)