Mercurial Mercurial > mercurial / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
tests/test-hgweb-csp.t
author Saurabh Singh <singhsrb@fb.com>
Wed, 04 Oct 2017 18:39:26 -0700
changeset 34483 a6d95a8b7243
parent 30766 d7bf7d2bd5ab
child 35605 45a816361926
permissions -rw-r--r--
serve: make tests compatible with chg chg only supports 'hg serve' when the options to the serve command follow the 'hg serve'. For example, 'hg -R <repo> serve ..' is unsupported. This leads to issues with chg running for the following tests: - test-bundle2-exchange.t - test-clone-uncompressed.t - test-hgweb-csp.t - test-http-bad-server.t - test-http-bundle1.t - test-http-protocol.t - test-http.t There was an effort made earlier to fix this issue for chg and the tests were fixed to confirm to the compatible pattern. But the new tests did not take care of the same and hence, fail. Hopefully, there will be continuous build setup for chg after all tests are made compatible with chg so that we can avoid such issues. Test Plan: Ran the aforementioned tests with and without '--chg' option. Differential Revision: https://phab.mercurial-scm.org/D946
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
30766
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset 
     1
 
#require serve
d7bf7d2bd5ab hgweb: support Content Security Policy
Gregory Szorc <gregory.szorc@gmail.com>
parents:
diff changeset 
     2
 












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     3


  $ cat > web.conf << EOF












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     4


  > [paths]












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     5


  > / = $TESTTMP/*












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     6


  > EOF












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     7














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     8


  $ hg init repo1












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




     9


  $ cd repo1












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    10


  $ touch foo












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    11


  $ hg -q commit -A -m initial












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    12


  $ cd ..












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    13














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    14


  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    15


  $ cat hg.pid >> $DAEMON_PIDS












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    16














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    17


repo index should not send Content-Security-Policy header by default












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    18














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    19


  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    20


  200 Script output follows












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    21














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    22


static page should not send CSP by default












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    23














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    24


  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    25


  200 Script output follows












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    26














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    27


repo page should not send CSP by default, should send ETag












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    28














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    29


  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    30


  200 Script output follows












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    31


  etag: W/"*" (glob)












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    32














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    33


  $ killdaemons.py












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    34














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    35


Configure CSP without nonce












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    36














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    37


  $ cat >> web.conf << EOF












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    38


  > [web]












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    39


  > csp = script-src https://example.com/ 'unsafe-inline'












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    40


  > EOF












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    41














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    42


  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    43


  $ cat hg.pid > $DAEMON_PIDS












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    44














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    45


repo index should send Content-Security-Policy header when enabled












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    46














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    47


  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    48


  200 Script output follows












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    49


  content-security-policy: script-src https://example.com/ 'unsafe-inline'












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    50














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    51


static page should send CSP when enabled












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    52














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    53


  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    54


  200 Script output follows












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    55


  content-security-policy: script-src https://example.com/ 'unsafe-inline'












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    56














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    57


repo page should send CSP by default, include etag w/o nonce












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    58














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    59


  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    60


  200 Script output follows












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    61


  content-security-policy: script-src https://example.com/ 'unsafe-inline'












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    62


  etag: W/"*" (glob)












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    63














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    64


nonce should not be added to html if CSP doesn't use it












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    65














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    66


  $ get-with-headers.py localhost:$HGPORT repo1/graph/tip | egrep 'content-security-policy|<script'












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    67


  <script type="text/javascript" src="/repo1/static/mercurial.js"></script>












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    68


  <!--[if IE]><script type="text/javascript" src="/repo1/static/excanvas.js"></script><![endif]-->












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    69


  <script type="text/javascript">












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    70


  <script type="text/javascript">












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    71














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    72


Configure CSP with nonce












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    73














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    74


  $ killdaemons.py












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    75


  $ cat >> web.conf << EOF












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    76


  > csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    77


  > EOF












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    78














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    79


  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    80


  $ cat hg.pid > $DAEMON_PIDS












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    81














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    82


nonce should be substituted in CSP header












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    83














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    84


  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    85


  200 Script output follows












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    86


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    87














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    88


nonce should be included in CSP for static pages












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    89














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    90


  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    91


  200 Script output follows












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    92


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    93














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    94


repo page should have nonce, no ETag












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    95














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    96


  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    97


  200 Script output follows












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    98


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




    99














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   100


nonce should be added to html when used












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   101














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   102


  $ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy | egrep 'content-security-policy|<script'












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   103


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   104


  <script type="text/javascript" src="/repo1/static/mercurial.js"></script>












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   105


  <!--[if IE]><script type="text/javascript" src="/repo1/static/excanvas.js"></script><![endif]-->












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   106


  <script type="text/javascript" nonce="*"> (glob)












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   107


  <script type="text/javascript" nonce="*"> (glob)












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   108














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   109


hgweb_mod w/o hgwebdir works as expected












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   110














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   111


  $ killdaemons.py












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   112









34483






a6d95a8b7243
serve: make tests compatible with chg



Saurabh Singh <singhsrb@fb.com>


parents: 
30766

diff
changeset




   113


  $ hg serve -R repo1 -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'"







30766






d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   114


  $ cat hg.pid > $DAEMON_PIDS












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   115














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   116


static page sends CSP












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   117














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   118


  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   119


  200 Script output follows












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   120


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   121














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   122


nonce included in <script> and headers












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   123














d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   124


  $ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy  | egrep 'content-security-policy|<script'












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   125


  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   126


  <script type="text/javascript" src="/static/mercurial.js"></script>












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   127


  <!--[if IE]><script type="text/javascript" src="/static/excanvas.js"></script><![endif]-->












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   128


  <script type="text/javascript" nonce="*"> (glob)












d7bf7d2bd5ab
hgweb: support Content Security Policy



Gregory Szorc <gregory.szorc@gmail.com>


parents: 

diff
changeset




   129


  <script type="text/javascript" nonce="*"> (glob)














mercurial