ansible/hg-web: emit CSP header from Mercurial (
bug 1333615); r?glob
Mercurial 4.1 (which we just upgraded to) has built-in support for
emitting a Content-Security-Policy header. The big benefit over having
the parent HTTP server add the header is that Mercurial can generate
and use a nonce in inline <script> so the policy doesn't have to use
"unsafe-inline."
This commit moves the generation of the CSP header from httpd to hg.
As part of this, the CSP header was added to HTTP responses that
it previously wasn't. Despite me implementing the CSP feature
upstream, I forgot to special case protocol requests from emitting
the CSP policy like we did at Mozilla (to minimize bytes). Derp.
I may fix this in 4.2.
For now, let's pave over it by unsetting the header for identified
protocol requests. This required a clean-up block of sorts in the
vhost config. Apache httpd does have some wonky behavior when it
comes to order of execution of directives (especially when <If>
and <Location> are involved. But our tests running an actual
Apache httpd process using the same version used in production
show the desired behavior. So I'll take it.
MozReview-Commit-ID: EzTdIxING0W
--- a/ansible/roles/hg-web/files/hgrc
+++ b/ansible/roles/hg-web/files/hgrc
@@ -14,16 +14,20 @@ logourl = https://developer.mozilla.org/
style = gitweb_mozilla
allow_archive = bz2 gz zip
templates = /repo_local/mozilla/hg_templates/
encoding = UTF-8
baseurl = https://hg.mozilla.org/
maxchanges = 20
guessmime = True
+# bugzilla.mo is for l10n tool.
+# TODO find out URL for l10n tools needing this and restrict to that.
+csp = default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'
+
# We don't allow pushes over HTTP. But if this isn't set, pushing to https://
# prints a "SSL required" message because the load balancer terminates TLS
# and Mercurial thinks SSL isn't being used.
push_ssl = false
# Pygments does content based analysis to determine the language for
# unknown file extensions. Unfortunately, it is overly aggressive about
# matching and nearly any text will cause it to think it knows what the
--- a/ansible/roles/hg-web/templates/vhost.conf.j2
+++ b/ansible/roles/hg-web/templates/vhost.conf.j2
@@ -87,31 +87,27 @@ LimitRequestFields 1000
RewriteCond %{QUERY_STRING} cmd= [NC]
RewriteRule ^ - [E=HG_PROTOCOL:1]
# Enable HSTS unless for HG clients.
<If "-z env('HG_PROTOCOL')">
Header set Strict-Transport-Security max-age=31536000
</If>
- # Enable CSP unless for HG clients.
- <Location "/">
- # bugzilla.mo is for l10n
- # TODO find out URL for l10n tools needing this and restrict to that.
- <If "-z env('HG_PROTOCOL')">
- Header set Content-Security-Policy "default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
- </If>
+ # Reftest analyzer needs a lot of exceptions to work. Bug 1200501
+ # tracks not hosting it from VCS.
+ #
+ # Mercurial's built-in CSP support doesn't allow to change the policy per
+ # URL. So we special case it and override hgweb's header here.
+ <Location "/mozilla-central/raw-file/tip/layout/tools/reftest/reftest-analyzer.xhtml">
+ Header set Content-Security-Policy "default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
</Location>
- # Reftest analyzer needs a lot of exceptions to work. Bug 1200501
- # tracks not hosting it from VCS.
- <Location "/mozilla-central/raw-file/tip/layout/tools/reftest/reftest-analyzer.xhtml">
- <If "-z env('HG_PROTOCOL')">
- Header set Content-Security-Policy "default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
- </If>
- </Location>
+ <If "-n env('HG_PROTOCOL')">
+ Header unset Content-Security-Policy
+ </If>
</VirtualHost>
# Local variables:
# mode: apache
# tab-width: 4
# indent-tabs-mode: nil
# end: