upstream/mercurial-mirror Files · tests/test-hgweb-csp.t

flagutil: move addflagprocessor to the new module (API)

Gregory Szorc - - Load All Authors

File last commit:

r37847:3e3acf5d stable


                r42958:6d61be15

default

Download file

             test-hgweb-csp.t
        
                    132 lines
            
             | 4.7 KiB
            
                | text/troff
            
             |
                Tads3Lexer
            
             / tests / test-hgweb-csp.t
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

      #require serve

        $ cat > web.conf << EOF

        > [paths]

        > / = $TESTTMP/*

        > EOF

        $ hg init repo1

        $ cd repo1

        $ touch foo

        $ hg -q commit -A -m initial

        $ cd ..

        $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf

        $ cat hg.pid >> $DAEMON_PIDS

      repo index should not send Content-Security-Policy header by default

        $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag

        200 Script output follows

      static page should not send CSP by default

        $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag

        200 Script output follows

      repo page should not send CSP by default, should send ETag

        $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag

        200 Script output follows

        etag: W/"*" (glob)

        $ killdaemons.py

      Configure CSP without nonce

        $ cat >> web.conf << EOF

        > [web]

        > csp = script-src https://example.com/ 'unsafe-inline'

        > EOF

        $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf

        $ cat hg.pid > $DAEMON_PIDS

      repo index should send Content-Security-Policy header when enabled

        $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag

        200 Script output follows

        content-security-policy: script-src https://example.com/ 'unsafe-inline'

      static page should send CSP when enabled

        $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag

        200 Script output follows

        content-security-policy: script-src https://example.com/ 'unsafe-inline'

        $ get-with-headers.py --twice --headeronly localhost:$HGPORT repo1/static/style.css content-security-policy

        200 Script output follows

        content-security-policy: script-src https://example.com/ 'unsafe-inline'

        304 Not Modified

        content-security-policy: script-src https://example.com/ 'unsafe-inline'

      repo page should send CSP by default, include etag w/o nonce

        $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag

        200 Script output follows

        content-security-policy: script-src https://example.com/ 'unsafe-inline'

        etag: W/"*" (glob)

      nonce should not be added to html if CSP doesn't use it

        $ get-with-headers.py localhost:$HGPORT repo1/graph/tip | egrep 'content-security-policy|<script'

        <script type="text/javascript" src="/repo1/static/mercurial.js"></script>

        <script type="text/javascript">

        <script type="text/javascript">

      Configure CSP with nonce

        $ killdaemons.py

        $ cat >> web.conf << EOF

        > csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'

        > EOF

        $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf

        $ cat hg.pid > $DAEMON_PIDS

      nonce should be substituted in CSP header

        $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag

        200 Script output follows

        content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

      nonce should be included in CSP for static pages

        $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag

        200 Script output follows

        content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

      repo page should have nonce, no ETag

        $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag

        200 Script output follows

        content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

      nonce should be added to html when used

        $ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy | egrep 'content-security-policy|<script'

        content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

        <script type="text/javascript" src="/repo1/static/mercurial.js"></script>

        <script type="text/javascript" nonce="*"> (glob)

        <script type="text/javascript" nonce="*"> (glob)

      hgweb_mod w/o hgwebdir works as expected

        $ killdaemons.py

        $ hg serve -R repo1 -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'"

        $ cat hg.pid > $DAEMON_PIDS

      static page sends CSP

        $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag

        200 Script output follows

        content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

      nonce included in <script> and headers

        $ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy  | egrep 'content-security-policy|<script'

        content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

        <script type="text/javascript" src="/static/mercurial.js"></script>

        <script type="text/javascript" nonce="*"> (glob)

        <script type="text/javascript" nonce="*"> (glob)

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				#require serve

				$ cat > web.conf << EOF
				> [paths]
				> / = $TESTTMP/*
				> EOF

				$ hg init repo1
				$ cd repo1
				$ touch foo
				$ hg -q commit -A -m initial
				$ cd ..

				$ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
				$ cat hg.pid >> $DAEMON_PIDS

				repo index should not send Content-Security-Policy header by default

				$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
				200 Script output follows

				static page should not send CSP by default

				$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
				200 Script output follows

				repo page should not send CSP by default, should send ETag

				$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
				200 Script output follows
				etag: W/"*" (glob)

				$ killdaemons.py

				Configure CSP without nonce

				$ cat >> web.conf << EOF
				> [web]
				> csp = script-src https://example.com/ 'unsafe-inline'
				> EOF

				$ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
				$ cat hg.pid > $DAEMON_PIDS

				repo index should send Content-Security-Policy header when enabled

				$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
				200 Script output follows
				content-security-policy: script-src https://example.com/ 'unsafe-inline'

				static page should send CSP when enabled

				$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
				200 Script output follows
				content-security-policy: script-src https://example.com/ 'unsafe-inline'

				$ get-with-headers.py --twice --headeronly localhost:$HGPORT repo1/static/style.css content-security-policy
				200 Script output follows
				content-security-policy: script-src https://example.com/ 'unsafe-inline'
				304 Not Modified
				content-security-policy: script-src https://example.com/ 'unsafe-inline'

				repo page should send CSP by default, include etag w/o nonce

				$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
				200 Script output follows
				content-security-policy: script-src https://example.com/ 'unsafe-inline'
				etag: W/"*" (glob)

				nonce should not be added to html if CSP doesn't use it

				$ get-with-headers.py localhost:$HGPORT repo1/graph/tip \| egrep 'content-security-policy\|<script'
				<script type="text/javascript" src="/repo1/static/mercurial.js"></script>
				<script type="text/javascript">
				<script type="text/javascript">

				Configure CSP with nonce

				$ killdaemons.py
				$ cat >> web.conf << EOF
				> csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'
				> EOF

				$ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
				$ cat hg.pid > $DAEMON_PIDS

				nonce should be substituted in CSP header

				$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
				200 Script output follows
				content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

				nonce should be included in CSP for static pages

				$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
				200 Script output follows
				content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

				repo page should have nonce, no ETag

				$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
				200 Script output follows
				content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

				nonce should be added to html when used

				$ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy \| egrep 'content-security-policy\|<script'
				content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
				<script type="text/javascript" src="/repo1/static/mercurial.js"></script>
				<script type="text/javascript" nonce="*"> (glob)
				<script type="text/javascript" nonce="*"> (glob)

				hgweb_mod w/o hgwebdir works as expected

				$ killdaemons.py

				$ hg serve -R repo1 -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'"
				$ cat hg.pid > $DAEMON_PIDS

				static page sends CSP

				$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
				200 Script output follows
				content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

				nonce included in <script> and headers

				$ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy \| egrep 'content-security-policy\|<script'
				content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
				<script type="text/javascript" src="/static/mercurial.js"></script>
				<script type="text/javascript" nonce="*"> (glob)
				<script type="text/javascript" nonce="*"> (glob)