This is an archive of the discontinued Mercurial Phabricator instance.

Differential D3436

hgweb: allow Content-Security-Policy header on 304 responses (issue5844)
ClosedPublic

Authored by indygreg on Apr 30 2018, 8:37 PM.

Details

Reviewers
krbullock
Group Reviewers
hg-reviewers
Commits
rHG3e3acf5d6a07: hgweb: allow Content-Security-Policy header on 304 responses (issue5844)
Summary

A side-effect of 98baf8dea553 was that the Content-Security-Policy
header was set on all HTTP responses by default. This header wasn't
in our list of allowed headers for HTTP 304 responses. This would
trigger a ProgrammingError when a 304 response was issued via hgwebdir.

This commit adds Content-Security-Policy to the allow list of headers
for 304 responses so we no longer encounter the error.

Diff Detail

Repository
rHG Mercurial
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

indygreg created this revision.Apr 30 2018, 8:37 PM
krbullock accepted this revision.May 2 2018, 10:10 PM
krbullock added a subscriber: krbullock.

Queued, thanks.

This revision is now accepted and ready to land.May 2 2018, 10:10 PM
Closed by commit rHG3e3acf5d6a07: hgweb: allow Content-Security-Policy header on 304 responses (issue5844) (authored by indygreg). · Explain WhyMay 2 2018, 10:25 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathPackages
Mmercurial/hgweb/request.py (1 line)
Mtests/test-hgweb-csp.t (4 lines)

Diff 8448

mercurial/hgweb/request.py

del self.headers['Content-Length'] del self.headers['Content-Length']
# Strictly speaking, this is too strict. But until it causes # Strictly speaking, this is too strict. But until it causes
# problems, let's be strict. # problems, let's be strict.
badheaders = {k for k in self.headers.keys() badheaders = {k for k in self.headers.keys()
if k.lower() not in ('date', 'etag', 'expires', if k.lower() not in ('date', 'etag', 'expires',
'cache-control', 'cache-control',
'content-location', 'content-location',
'content-security-policy',
'vary')} 'vary')}
if badheaders: if badheaders:
raise error.ProgrammingError( raise error.ProgrammingError(
'illegal header on 304 response: %s' % 'illegal header on 304 response: %s' %
', '.join(sorted(badheaders))) ', '.join(sorted(badheaders)))
if self._bodygen is not None or self._bodywillwrite: if self._bodygen is not None or self._bodywillwrite:
raise error.ProgrammingError("must use setbodybytes('') with " raise error.ProgrammingError("must use setbodybytes('') with "

tests/test-hgweb-csp.t

$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
200 Script output follows 200 Script output follows
content-security-policy: script-src https://example.com/ 'unsafe-inline' content-security-policy: script-src https://example.com/ 'unsafe-inline'
$ get-with-headers.py --twice --headeronly localhost:$HGPORT repo1/static/style.css content-security-policy $ get-with-headers.py --twice --headeronly localhost:$HGPORT repo1/static/style.css content-security-policy
200 Script output follows 200 Script output follows
content-security-policy: script-src https://example.com/ 'unsafe-inline' content-security-policy: script-src https://example.com/ 'unsafe-inline'
500 Internal Server Error 304 Not Modified
[1] content-security-policy: script-src https://example.com/ 'unsafe-inline'
repo page should send CSP by default, include etag w/o nonce repo page should send CSP by default, include etag w/o nonce
$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
200 Script output follows 200 Script output follows
content-security-policy: script-src https://example.com/ 'unsafe-inline' content-security-policy: script-src https://example.com/ 'unsafe-inline'
etag: W/"*" (glob) etag: W/"*" (glob)