upstream/mercurial-mirror Files · tests/test-hgweb-csp.t

extensions: register functions always at loading extension (issue5601)...

extensions: register functions always at loading extension (issue5601) Before this patch, functions defined in extensions are registered via extra loaders only in _dispatch(). Therefore, loading extensions in other code paths like below omits registration of functions. - WSGI service - operation across repositories (e.g. subrepo) - test-duplicateoptions.py, using extensions.loadall() directly To register functions always at loading new extension, this patch moves implementation for extra loading from dispatch._dispatch() to extensions.loadall(). AFAIK, only commands module causes cyclic dependency between extensions module, but this patch imports all related modules just before extra loading in loadall(), in order to centralize them. This patch makes extensions.py depend on many other modules, even though extensions.py itself doesn't. It should be avoided if possible, but I don't have any better idea. Some other places like below aren't reasonable for extra loading, IMHO. - specific function in newly added module: existing callers of extensions.loadall() should invoke it, too - hg.repository() or so: no-repo commands aren't covered by this. BTW, this patch removes _loaded.add(name) on relocation, because dispatch._loaded is used only for extraloaders (for similar reason, "exts" variable is removed, too).

Gregory Szorc - - Load All Authors

File last commit:

r30766:d7bf7d2b default


                r33052:45b0e9d0

default

Download file

             test-hgweb-csp.t
        
                    129 lines
            
             | 4.7 KiB
            
                | text/troff
            
             |
                Tads3Lexer
            
             / tests / test-hgweb-csp.t
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

      #require serve

        $ cat > web.conf << EOF

        > [paths]

        > / = $TESTTMP/*

        > EOF

        $ hg init repo1

        $ cd repo1

        $ touch foo

        $ hg -q commit -A -m initial

        $ cd ..

        $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf

        $ cat hg.pid >> $DAEMON_PIDS

      repo index should not send Content-Security-Policy header by default

        $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag

        200 Script output follows

      static page should not send CSP by default

        $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag

        200 Script output follows

      repo page should not send CSP by default, should send ETag

        $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag

        200 Script output follows

        etag: W/"*" (glob)

        $ killdaemons.py

      Configure CSP without nonce

        $ cat >> web.conf << EOF

        > [web]

        > csp = script-src https://example.com/ 'unsafe-inline'

        > EOF

        $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf

        $ cat hg.pid > $DAEMON_PIDS

      repo index should send Content-Security-Policy header when enabled

        $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag

        200 Script output follows

        content-security-policy: script-src https://example.com/ 'unsafe-inline'

      static page should send CSP when enabled

        $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag

        200 Script output follows

        content-security-policy: script-src https://example.com/ 'unsafe-inline'

      repo page should send CSP by default, include etag w/o nonce

        $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag

        200 Script output follows

        content-security-policy: script-src https://example.com/ 'unsafe-inline'

        etag: W/"*" (glob)

      nonce should not be added to html if CSP doesn't use it

        $ get-with-headers.py localhost:$HGPORT repo1/graph/tip | egrep 'content-security-policy|<script'

        <script type="text/javascript" src="/repo1/static/mercurial.js"></script>

        <!--[if IE]><script type="text/javascript" src="/repo1/static/excanvas.js"></script><![endif]-->

        <script type="text/javascript">

        <script type="text/javascript">

      Configure CSP with nonce

        $ killdaemons.py

        $ cat >> web.conf << EOF

        > csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'

        > EOF

        $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf

        $ cat hg.pid > $DAEMON_PIDS

      nonce should be substituted in CSP header

        $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag

        200 Script output follows

        content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

      nonce should be included in CSP for static pages

        $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag

        200 Script output follows

        content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

      repo page should have nonce, no ETag

        $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag

        200 Script output follows

        content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

      nonce should be added to html when used

        $ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy | egrep 'content-security-policy|<script'

        content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

        <script type="text/javascript" src="/repo1/static/mercurial.js"></script>

        <!--[if IE]><script type="text/javascript" src="/repo1/static/excanvas.js"></script><![endif]-->

        <script type="text/javascript" nonce="*"> (glob)

        <script type="text/javascript" nonce="*"> (glob)

      hgweb_mod w/o hgwebdir works as expected

        $ killdaemons.py

        $ hg -R repo1 serve -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'"

        $ cat hg.pid > $DAEMON_PIDS

      static page sends CSP

        $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag

        200 Script output follows

        content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

      nonce included in <script> and headers

        $ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy  | egrep 'content-security-policy|<script'

        content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

        <script type="text/javascript" src="/static/mercurial.js"></script>

        <!--[if IE]><script type="text/javascript" src="/static/excanvas.js"></script><![endif]-->

        <script type="text/javascript" nonce="*"> (glob)

        <script type="text/javascript" nonce="*"> (glob)

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				#require serve

				$ cat > web.conf << EOF
				> [paths]
				> / = $TESTTMP/*
				> EOF

				$ hg init repo1
				$ cd repo1
				$ touch foo
				$ hg -q commit -A -m initial
				$ cd ..

				$ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
				$ cat hg.pid >> $DAEMON_PIDS

				repo index should not send Content-Security-Policy header by default

				$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
				200 Script output follows

				static page should not send CSP by default

				$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
				200 Script output follows

				repo page should not send CSP by default, should send ETag

				$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
				200 Script output follows
				etag: W/"*" (glob)

				$ killdaemons.py

				Configure CSP without nonce

				$ cat >> web.conf << EOF
				> [web]
				> csp = script-src https://example.com/ 'unsafe-inline'
				> EOF

				$ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
				$ cat hg.pid > $DAEMON_PIDS

				repo index should send Content-Security-Policy header when enabled

				$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
				200 Script output follows
				content-security-policy: script-src https://example.com/ 'unsafe-inline'

				static page should send CSP when enabled

				$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
				200 Script output follows
				content-security-policy: script-src https://example.com/ 'unsafe-inline'

				repo page should send CSP by default, include etag w/o nonce

				$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
				200 Script output follows
				content-security-policy: script-src https://example.com/ 'unsafe-inline'
				etag: W/"*" (glob)

				nonce should not be added to html if CSP doesn't use it

				$ get-with-headers.py localhost:$HGPORT repo1/graph/tip \| egrep 'content-security-policy\|<script'
				<script type="text/javascript" src="/repo1/static/mercurial.js"></script>
				<!--[if IE]><script type="text/javascript" src="/repo1/static/excanvas.js"></script><![endif]-->
				<script type="text/javascript">
				<script type="text/javascript">

				Configure CSP with nonce

				$ killdaemons.py
				$ cat >> web.conf << EOF
				> csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'
				> EOF

				$ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
				$ cat hg.pid > $DAEMON_PIDS

				nonce should be substituted in CSP header

				$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
				200 Script output follows
				content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

				nonce should be included in CSP for static pages

				$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
				200 Script output follows
				content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

				repo page should have nonce, no ETag

				$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
				200 Script output follows
				content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

				nonce should be added to html when used

				$ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy \| egrep 'content-security-policy\|<script'
				content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
				<script type="text/javascript" src="/repo1/static/mercurial.js"></script>
				<!--[if IE]><script type="text/javascript" src="/repo1/static/excanvas.js"></script><![endif]-->
				<script type="text/javascript" nonce="*"> (glob)
				<script type="text/javascript" nonce="*"> (glob)

				hgweb_mod w/o hgwebdir works as expected

				$ killdaemons.py

				$ hg -R repo1 serve -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'"
				$ cat hg.pid > $DAEMON_PIDS

				static page sends CSP

				$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
				200 Script output follows
				content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

				nonce included in <script> and headers

				$ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy \| egrep 'content-security-policy\|<script'
				content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
				<script type="text/javascript" src="/static/mercurial.js"></script>
				<!--[if IE]><script type="text/javascript" src="/static/excanvas.js"></script><![endif]-->
				<script type="text/javascript" nonce="*"> (glob)
				<script type="text/javascript" nonce="*"> (glob)