( )⚙ D3436 hgweb: allow Content-Security-Policy header on 304 responses (issue5844)

This is an archive of the discontinued Mercurial Phabricator instance.

Differential D3436

hgweb: allow Content-Security-Policy header on 304 responses (issue5844)
ClosedPublic

Authored by indygreg on Apr 30 2018, 8:37 PM.

Details

Reviewers
krbullock
Group Reviewers
hg-reviewers
Commits
rHG3e3acf5d6a07: hgweb: allow Content-Security-Policy header on 304 responses (issue5844)
Summary

A side-effect of 98baf8dea553 was that the Content-Security-Policy
header was set on all HTTP responses by default. This header wasn't
in our list of allowed headers for HTTP 304 responses. This would
trigger a ProgrammingError when a 304 response was issued via hgwebdir.

This commit adds Content-Security-Policy to the allow list of headers
for 304 responses so we no longer encounter the error.

Diff Detail

Repository
rHG Mercurial
Lint
Lint Skipped
Unit
Unit Tests Skipped

Event Timeline

indygreg created this revision.Apr 30 2018, 8:37 PM
krbullock accepted this revision.May 2 2018, 10:10 PM
krbullock added a subscriber: krbullock.

Queued, thanks.

This revision is now accepted and ready to land.May 2 2018, 10:10 PM
Closed by commit rHG3e3acf5d6a07: hgweb: allow Content-Security-Policy header on 304 responses (issue5844) (authored by indygreg). · Explain WhyMay 2 2018, 10:25 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathPackages
Mmercurial/hgweb/request.py (1 line)
Mtests/test-hgweb-csp.t (4 lines)

Diff 8444

mercurial/hgweb/request.py

del self.headers['Content-Length'] del self.headers['Content-Length']
# Strictly speaking, this is too strict. But until it causes # Strictly speaking, this is too strict. But until it causes
# problems, let's be strict. # problems, let's be strict.
badheaders = {k for k in self.headers.keys() badheaders = {k for k in self.headers.keys()
if k.lower() not in ('date', 'etag', 'expires', if k.lower() not in ('date', 'etag', 'expires',
'cache-control', 'cache-control',
'content-location', 'content-location',
'content-security-policy',
'vary')} 'vary')}
if badheaders: if badheaders:
raise error.ProgrammingError( raise error.ProgrammingError(
'illegal header on 304 response: %s' % 'illegal header on 304 response: %s' %
', '.join(sorted(badheaders))) ', '.join(sorted(badheaders)))
if self._bodygen is not None or self._bodywillwrite: if self._bodygen is not None or self._bodywillwrite:
raise error.ProgrammingError("must use setbodybytes('') with " raise error.ProgrammingError("must use setbodybytes('') with "

tests/test-hgweb-csp.t

$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
200 Script output follows 200 Script output follows
content-security-policy: script-src https://example.com/ 'unsafe-inline' content-security-policy: script-src https://example.com/ 'unsafe-inline'
$ get-with-headers.py --twice --headeronly localhost:$HGPORT repo1/static/style.css content-security-policy $ get-with-headers.py --twice --headeronly localhost:$HGPORT repo1/static/style.css content-security-policy
200 Script output follows 200 Script output follows
content-security-policy: script-src https://example.com/ 'unsafe-inline' content-security-policy: script-src https://example.com/ 'unsafe-inline'
500 Internal Server Error 304 Not Modified
[1] content-security-policy: script-src https://example.com/ 'unsafe-inline'
repo page should send CSP by default, include etag w/o nonce repo page should send CSP by default, include etag w/o nonce
$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
200 Script output follows 200 Script output follows
content-security-policy: script-src https://example.com/ 'unsafe-inline' content-security-policy: script-src https://example.com/ 'unsafe-inline'
etag: W/"*" (glob) etag: W/"*" (glob)