ansible/hg-web: add "upgrade-insecure-requests" to CSP policy (
bug 1335626); r?April
This will force all http:// requests to https://, even if they are
on other domains.
MozReview-Commit-ID: FiFN6KBDWj2
--- a/ansible/roles/hg-web/files/hgrc
+++ b/ansible/roles/hg-web/files/hgrc
@@ -16,17 +16,17 @@ allow_archive = bz2 gz zip
templates = /repo_local/mozilla/hg_templates/
encoding = UTF-8
baseurl = https://hg.mozilla.org/
maxchanges = 20
guessmime = True
# bugzilla.mo is for l10n tool.
# TODO find out URL for l10n tools needing this and restrict to that.
-csp = default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' 'nonce-%nonce%'; style-src 'self' 'unsafe-inline'
+csp = default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' 'nonce-%nonce%'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests
# We don't allow pushes over HTTP. But if this isn't set, pushing to https://
# prints a "SSL required" message because the load balancer terminates TLS
# and Mercurial thinks SSL isn't being used.
push_ssl = false
# Pygments does content based analysis to determine the language for
# unknown file extensions. Unfortunately, it is overly aggressive about
--- a/ansible/roles/hg-web/templates/vhost.conf.j2
+++ b/ansible/roles/hg-web/templates/vhost.conf.j2
@@ -93,17 +93,17 @@ LimitRequestFields 1000
</If>
# Reftest analyzer needs a lot of exceptions to work. Bug 1200501
# tracks not hosting it from VCS.
#
# Mercurial's built-in CSP support doesn't allow to change the policy per
# URL. So we special case it and override hgweb's header here.
<Location "/mozilla-central/raw-file/tip/layout/tools/reftest/reftest-analyzer.xhtml">
- Header set Content-Security-Policy "default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
+ Header set Content-Security-Policy "default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests"
</Location>
<If "-n env('HG_PROTOCOL')">
Header unset Content-Security-Policy
</If>
</VirtualHost>
# Local variables:
--- a/hgserver/tests/test-csp.t
+++ b/hgserver/tests/test-csp.t
@@ -4,17 +4,17 @@
$ hgmoenv
$ hgmo create-repo mozilla-central scm_level_3
(recorded repository creation in replication log)
CSP header should be present on normal HTTP requests
$ http ${HGWEB_0_URL}mozilla-central/shortlog --header content-security-policy | grep script
- content-security-policy: default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' 'nonce-*'; style-src 'self' 'unsafe-inline' (glob)
+ content-security-policy: default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' 'nonce-*'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests (glob)
<script type="text/javascript" src="/mozilla-central/static/mercurial.js"></script>
<script type="text/javascript" nonce="*"> (glob)
</script>
CSP header absent on protocol requests
$ http ${HGWEB_0_URL}mozilla-central?cmd=capabilities --no-body --header content-security-policy
200
@@ -31,18 +31,18 @@ CSP header absent if both conditions are
$ http ${HGWEB_0_URL}mozilla-central?cmd=capabilities --agent 'mercurial/proto-1.0' --no-body --header content-security-policy
200
reftest analyzer is a special snowflake
$ http ${HGWEB_0_URL}mozilla-central/raw-file/tip/layout/tools/reftest/reftest-analyzer.xhtml --no-body --header content-security-policy
200
- content-security-policy: default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'
+ content-security-policy: default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests
$ http "${HGWEB_0_URL}mozilla-central/raw-file/tip/layout/tools/reftest/reftest-analyzer.xhtml#logurl=https://queue.taskcluster.net/v1/task/KQYN-Sa9TBmXR3m8GaXXwg/runs/0/artifacts/public/logs/live_backing.log&only_show_unexpected=1" --no-body --header content-security-policy
200
- content-security-policy: default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'
+ content-security-policy: default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests
No CSP if HG user-agent
$ http ${HGWEB_0_URL}mozilla-central/raw-file/tip/layout/tools/reftest/reftest-analyzer.xhtml --agent 'mercurial/proto-1.0' --no-body --header content-security-policy
200