Mercurial > hg
changeset 37828:3e3acf5d6a07 stable
hgweb: allow Content-Security-Policy header on 304 responses (issue5844)
A side-effect of 98baf8dea553 was that the Content-Security-Policy
header was set on all HTTP responses by default. This header wasn't
in our list of allowed headers for HTTP 304 responses. This would
trigger a ProgrammingError when a 304 response was issued via hgwebdir.
This commit adds Content-Security-Policy to the allow list of headers
for 304 responses so we no longer encounter the error.
Differential Revision: https://phab.mercurial-scm.org/D3436
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Mon, 30 Apr 2018 17:28:59 -0700 |
| parents | 11ee9bf24791 |
| children | 2ead51dcde71 |
| files | mercurial/hgweb/request.py tests/test-hgweb-csp.t |
| diffstat | 2 files changed, 3 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/hgweb/request.py Mon Apr 30 17:22:20 2018 -0700 +++ b/mercurial/hgweb/request.py Mon Apr 30 17:28:59 2018 -0700 @@ -473,6 +473,7 @@ if k.lower() not in ('date', 'etag', 'expires', 'cache-control', 'content-location', + 'content-security-policy', 'vary')} if badheaders: raise error.ProgrammingError(
--- a/tests/test-hgweb-csp.t Mon Apr 30 17:22:20 2018 -0700 +++ b/tests/test-hgweb-csp.t Mon Apr 30 17:28:59 2018 -0700 @@ -57,8 +57,8 @@ $ get-with-headers.py --twice --headeronly localhost:$HGPORT repo1/static/style.css content-security-policy 200 Script output follows content-security-policy: script-src https://example.com/ 'unsafe-inline' - 500 Internal Server Error - [1] + 304 Not Modified + content-security-policy: script-src https://example.com/ 'unsafe-inline' repo page should send CSP by default, include etag w/o nonce