mercurial: tests/test-hgweb-csp.t@d334afc585e2 (annotated)

30766 d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	1	#require serve
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	2
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	3	$ cat > web.conf << EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	4	> [paths]
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	5	> / = $TESTTMP/*
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	6	> EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	7
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	8	$ hg init repo1
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	9	$ cd repo1
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	10	$ touch foo
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	11	$ hg -q commit -A -m initial
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	12	$ cd ..
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	13
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	14	$ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	15	$ cat hg.pid >> $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	16
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	17	repo index should not send Content-Security-Policy header by default
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	18
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	19	$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	20	200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	21
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	22	static page should not send CSP by default
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	23
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	24	$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	25	200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	26
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	27	repo page should not send CSP by default, should send ETag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	28
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	29	$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	30	200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	31	etag: W/"*" (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	32
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	33	$ killdaemons.py
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	34
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	35	Configure CSP without nonce
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	36
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	37	$ cat >> web.conf << EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	38	> [web]
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	39	> csp = script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	40	> EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	41
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	42	$ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	43	$ cat hg.pid > $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	44
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	45	repo index should send Content-Security-Policy header when enabled
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	46
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	47	$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	48	200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	49	content-security-policy: script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	50
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	51	static page should send CSP when enabled
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	52
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	53	$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	54	200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	55	content-security-policy: script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	56
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	57	repo page should send CSP by default, include etag w/o nonce
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	58
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	59	$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	60	200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	61	content-security-policy: script-src https://example.com/ 'unsafe-inline'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	62	etag: W/"*" (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	63
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	64	nonce should not be added to html if CSP doesn't use it
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	65
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	66	$ get-with-headers.py localhost:$HGPORT repo1/graph/tip \| egrep 'content-security-policy\|<script'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	67	<script type="text/javascript" src="/repo1/static/mercurial.js"></script>
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	68	<script type="text/javascript">
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	69	<script type="text/javascript">
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	70
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	71	Configure CSP with nonce
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	72
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	73	$ killdaemons.py
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	74	$ cat >> web.conf << EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	75	> csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	76	> EOF
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	77
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	78	$ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	79	$ cat hg.pid > $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	80
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	81	nonce should be substituted in CSP header
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	82
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	83	$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	84	200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	85	content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	86
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	87	nonce should be included in CSP for static pages
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	88
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	89	$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	90	200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	91	content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	92
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	93	repo page should have nonce, no ETag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	94
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	95	$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	96	200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	97	content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	98
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	99	nonce should be added to html when used
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	100
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	101	$ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy \| egrep 'content-security-policy\|<script'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	102	content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	103	<script type="text/javascript" src="/repo1/static/mercurial.js"></script>
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	104	<script type="text/javascript" nonce="*"> (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	105	<script type="text/javascript" nonce="*"> (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	106
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	107	hgweb_mod w/o hgwebdir works as expected
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	108
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	109	$ killdaemons.py
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	110
34483 a6d95a8b7243 serve: make tests compatible with chg Saurabh Singh <singhsrb@fb.com> parents: 30766 diff changeset	111	$ hg serve -R repo1 -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'"
30766 d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	112	$ cat hg.pid > $DAEMON_PIDS
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	113
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	114	static page sends CSP
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	115
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	116	$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	117	200 Script output follows
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	118	content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	119
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	120	nonce included in <script> and headers
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	121
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	122	$ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy \| egrep 'content-security-policy\|<script'
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	123	content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	124	<script type="text/javascript" src="/static/mercurial.js"></script>
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	125	<script type="text/javascript" nonce="*"> (glob)
d7bf7d2bd5ab hgweb: support Content Security Policy Gregory Szorc <gregory.szorc@gmail.com> parents: diff changeset	126	<script type="text/javascript" nonce="*"> (glob)

author	Augie Fackler <augie@google.com>
	Thu, 01 Feb 2018 14:11:18 -0500
branch	stable
changeset 35818	d334afc585e2
parent 35605	45a816361926
child 37826	d105bbb74658
permissions	-rw-r--r--