changeset 37828:3e3acf5d6a07 stable

hgweb: allow Content-Security-Policy header on 304 responses (issue5844) A side-effect of 98baf8dea553 was that the Content-Security-Policy header was set on all HTTP responses by default. This header wasn't in our list of allowed headers for HTTP 304 responses. This would trigger a ProgrammingError when a 304 response was issued via hgwebdir. This commit adds Content-Security-Policy to the allow list of headers for 304 responses so we no longer encounter the error. Differential Revision: https://phab.mercurial-scm.org/D3436
author Gregory Szorc <gregory.szorc@gmail.com>
date Mon, 30 Apr 2018 17:28:59 -0700
parents 11ee9bf24791
children 2ead51dcde71
files mercurial/hgweb/request.py tests/test-hgweb-csp.t
diffstat 2 files changed, 3 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/hgweb/request.py	Mon Apr 30 17:22:20 2018 -0700
+++ b/mercurial/hgweb/request.py	Mon Apr 30 17:28:59 2018 -0700
@@ -473,6 +473,7 @@
                           if k.lower() not in ('date', 'etag', 'expires',
                                                'cache-control',
                                                'content-location',
+                                               'content-security-policy',
                                                'vary')}
             if badheaders:
                 raise error.ProgrammingError(
--- a/tests/test-hgweb-csp.t	Mon Apr 30 17:22:20 2018 -0700
+++ b/tests/test-hgweb-csp.t	Mon Apr 30 17:28:59 2018 -0700
@@ -57,8 +57,8 @@
   $ get-with-headers.py --twice --headeronly localhost:$HGPORT repo1/static/style.css content-security-policy
   200 Script output follows
   content-security-policy: script-src https://example.com/ 'unsafe-inline'
-  500 Internal Server Error
-  [1]
+  304 Not Modified
+  content-security-policy: script-src https://example.com/ 'unsafe-inline'
 
 repo page should send CSP by default, include etag w/o nonce