##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

hgweb: support Content Security Policy...
hgweb: support Content Security Policy Content-Security-Policy (CSP) is a web security feature that allows servers to declare what loaded content is allowed to do. For example, a policy can prevent loading of images, JavaScript, CSS, etc unless the source of that content is whitelisted (by hostname, URI scheme, hashes of content, etc). It's a nifty security feature that provides extra mitigation against some attacks, notably XSS. Mitigation against these attacks is important for Mercurial because hgweb renders repository data, which is commonly untrusted. While we make attempts to escape things, etc, there's the possibility that malicious data could be injected into the site content. If this happens today, the full power of the web browser is available to that malicious content. A restrictive CSP policy (defined by the server operator and sent in an HTTP header which is outside the control of malicious content), could restrict browser capabilities and mitigate security problems posed by malicious data. CSP works by emitting an HTTP header declaring the policy that browsers should apply. Ideally, this header would be emitted by a layer above Mercurial (likely the HTTP server doing the WSGI "proxying"). This works for some CSP policies, but not all. For example, policies to allow inline JavaScript may require setting a "nonce" attribute on <script>. This attribute value must be unique and non-guessable. And, the value must be present in the HTTP header and the HTML body. This means that coordinating the value between Mercurial and another HTTP server could be difficult: it is much easier to generate and emit the nonce in a central location. This commit introduces support for emitting a Content-Security-Policy header from hgweb. A config option defines the header value. If present, the header is emitted. A special "%nonce%" syntax in the value triggers generation of a nonce and inclusion in <script> elements in templates. The inclusion of a nonce does not occur unless "%nonce%" is present. This makes this commit completely backwards compatible and the feature opt-in. The nonce is a type 4 UUID, which is the flavor that is randomly generated. It has 122 random bits, which should be plenty to satisfy the guarantees of a nonce.
Mads Kiilerich - - Load All Authors

File last commit:

r26781:1aee2ab0 default
r30766:d7bf7d2b default
Show More
hgweb.txt
86 lines | 3.3 KiB | text/plain | TextLexer
/ mercurial / help / hgweb.txt
History | Annotation | Raw |Copy content |Copy permalink
Mercurial's internal web server, hgweb, can serve either a single
repository, or a tree of repositories. In the second case, repository
paths and global options can be defined using a dedicated
configuration file common to :hg:`serve`, ``hgweb.wsgi``,
``hgweb.cgi`` and ``hgweb.fcgi``.
This file uses the same syntax as other Mercurial configuration files
but recognizes only the following sections:
- web
- paths
- collections
The ``web`` options are thoroughly described in :hg:`help config`.
The ``paths`` section maps URL paths to paths of repositories in the
filesystem. hgweb will not expose the filesystem directly - only
Mercurial repositories can be published and only according to the
configuration.
The left hand side is the path in the URL. Note that hgweb reserves
subpaths like ``rev`` or ``file``, try using different names for
nested repositories to avoid confusing effects.
The right hand side is the path in the filesystem. If the specified
path ends with ``*`` or ``**`` the filesystem will be searched
recursively for repositories below that point.
With ``*`` it will not recurse into the repositories it finds (except for
``.hg/patches``).
With ``**`` it will also search inside repository working directories
and possibly find subrepositories.
In this example::
[paths]
/projects/a = /srv/tmprepos/a
/projects/b = c:/repos/b
/ = /srv/repos/*
/user/bob = /home/bob/repos/**
- The first two entries make two repositories in different directories
appear under the same directory in the web interface
- The third entry will publish every Mercurial repository found in
``/srv/repos/``, for instance the repository ``/srv/repos/quux/``
will appear as ``http://server/quux/``
- The fourth entry will publish both ``http://server/user/bob/quux/``
and ``http://server/user/bob/quux/testsubrepo/``
The ``collections`` section is deprecated and has been superseded by
``paths``.
URLs and Common Arguments
=========================
URLs under each repository have the form ``/{command}[/{arguments}]``
where ``{command}`` represents the name of a command or handler and
``{arguments}`` represents any number of additional URL parameters
to that command.
The web server has a default style associated with it. Styles map to
a collection of named templates. Each template is used to render a
specific piece of data, such as a changeset or diff.
The style for the current request can be overwritten two ways. First,
if ``{command}`` contains a hyphen (``-``), the text before the hyphen
defines the style. For example, ``/atom-log`` will render the ``log``
command handler with the ``atom`` style. The second way to set the
style is with the ``style`` query string argument. For example,
``/log?style=atom``. The hyphenated URL parameter is preferred.
Not all templates are available for all styles. Attempting to use
a style that doesn't have all templates defined may result in an error
rendering the page.
Many commands take a ``{revision}`` URL parameter. This defines the
changeset to operate on. This is commonly specified as the short,
12 digit hexadecimal abbreviation for the full 40 character unique
revision identifier. However, any value described by
:hg:`help revisions` typically works.
Commands and URLs
=================
The following web commands and their URLs are available:
.. webcommandsmarker