paper: add href="#" to links with click handlers
This restores the styling that was accidentally removed by the
previous change to these files.
Differential Revision: https://phab.mercurial-scm.org/D3438
paper: don't register click handlers with inline javascript (
issue5812)
The use of inline href="javascript:" undermines CSP policies that
don't allow inline javascript.
This commit changes the registering of the diffstat and line wrapping
toggle handlers to the the global DOMContentLoaded handler, thus
eliminating all inline javascript from the paper template.
Differential Revision: https://phab.mercurial-scm.org/D3437
hgweb: allow Content-Security-Policy header on 304 responses (
issue5844)
A side-effect of
98baf8dea553 was that the Content-Security-Policy
header was set on all HTTP responses by default. This header wasn't
in our list of allowed headers for HTTP 304 responses. This would
trigger a ProgrammingError when a 304 response was issued via hgwebdir.
This commit adds Content-Security-Policy to the allow list of headers
for 304 responses so we no longer encounter the error.
Differential Revision: https://phab.mercurial-scm.org/D3436
hgweb: discard Content-Type header for 304 responses (
issue5844)
A side-effect of
98baf8dea553 was that hgwebdir always sets a global
default for the Content-Type header. HTTP 304 responses don't allow
the Content-Type header. So a side-effect of this change was that
HTTP 304 responses served via hgwebdir resulted in a ProgrammingError
being raised.
This commit teaches our 304 response issuing code to drop the
Content-Type header.
Differential Revision: https://phab.mercurial-scm.org/D3435
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
There are two separate failures here. One for the Content-Type header.
Another for the Content-Security-Policy header.
Differential Revision: https://phab.mercurial-scm.org/D3434
hgweb: guard against empty Content-Length header
Discussion in issue 5860 seems to indicate this can occur.
Differential Revision: https://phab.mercurial-scm.org/D3432
test-push-http: do not clear pid file
It's okay now, but we'll end up leaking daemon processes if we add some
more.
debugcolor: fix crash by empty styles (
issue5856)
tests: explicitly define compression engines for tests
The zstd compression engine requires C extensions and isn't present
in pure Python builds.
The compression engine list leaks into the server capabilities string.
Unless we're testing functionality specific to a compression format,
the set of compression formats supported by a server doesn't matter
much.
So this commit explicitly defines the server's compression engines for
some tests so behavior is consistent between pure and non-pure builds.
Differential Revision: https://phab.mercurial-scm.org/D3431
tests: update no-zstd branch of test-treediscovery.t as in
330ada7e8ea5
This side of the test got overlooked. We should probably consider
having a way to run some of our tests through a "no-zstd" case just
like we run some things through a "no-obsmarkers" case, but that's not
an appropriate thing for stable.
Differential Revision: https://phab.mercurial-scm.org/D3430