Mercurial > mozreview > version-control-tools / changeset / 95244da7e42c29e54737595f27573c95892606a8
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
ansible/hg-web: emit CSP header from Mercurial (bug 1333615); r?glob draft
authorGregory Szorc <gps@mozilla.com>
Wed, 05 Apr 2017 17:45:56 -0700
changeset 10765 95244da7e42c29e54737595f27573c95892606a8
parent 10764 249a47720ddcf896a9f07600c429a1b4492b805e
child 10766 69f9132f9d41fc54004157540f4a3f93fc3980ae
push id1619
push userbmo:gps@mozilla.com
push dateTue, 11 Apr 2017 21:40:13 +0000
reviewersglob
bugs1333615
ansible/hg-web: emit CSP header from Mercurial (bug 1333615); r?glob Mercurial 4.1 (which we just upgraded to) has built-in support for emitting a Content-Security-Policy header. The big benefit over having the parent HTTP server add the header is that Mercurial can generate and use a nonce in inline <script> so the policy doesn't have to use "unsafe-inline." This commit moves the generation of the CSP header from httpd to hg. As part of this, the CSP header was added to HTTP responses that it previously wasn't. Despite me implementing the CSP feature upstream, I forgot to special case protocol requests from emitting the CSP policy like we did at Mozilla (to minimize bytes). Derp. I may fix this in 4.2. For now, let's pave over it by unsetting the header for identified protocol requests. This required a clean-up block of sorts in the vhost config. Apache httpd does have some wonky behavior when it comes to order of execution of directives (especially when <If> and <Location> are involved. But our tests running an actual Apache httpd process using the same version used in production show the desired behavior. So I'll take it. MozReview-Commit-ID: EzTdIxING0W
ansible/roles/hg-web/files/hgrc file | annotate | diff | comparison | revisions
ansible/roles/hg-web/templates/vhost.conf.j2 file | annotate | diff | comparison | revisions 
--- a/ansible/roles/hg-web/files/hgrc
+++ b/ansible/roles/hg-web/files/hgrc
@@ -14,16 +14,20 @@ logourl = https://developer.mozilla.org/
 style = gitweb_mozilla
 allow_archive = bz2 gz zip
 templates = /repo_local/mozilla/hg_templates/
 encoding = UTF-8
 baseurl = https://hg.mozilla.org/
 maxchanges = 20
 guessmime = True
 
+# bugzilla.mo is for l10n tool.
+# TODO find out URL for l10n tools needing this and restrict to that.
+csp = default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'
+
 # We don't allow pushes over HTTP. But if this isn't set, pushing to https://
 # prints a "SSL required" message because the load balancer terminates TLS
 # and Mercurial thinks SSL isn't being used.
 push_ssl = false
 
 # Pygments does content based analysis to determine the language for
 # unknown file extensions. Unfortunately, it is overly aggressive about
 # matching and nearly any text will cause it to think it knows what the
--- a/ansible/roles/hg-web/templates/vhost.conf.j2
+++ b/ansible/roles/hg-web/templates/vhost.conf.j2
@@ -87,31 +87,27 @@ LimitRequestFields 1000
     RewriteCond %{QUERY_STRING} cmd= [NC]
     RewriteRule ^ - [E=HG_PROTOCOL:1]
 
     # Enable HSTS unless for HG clients.
     <If "-z env('HG_PROTOCOL')">
         Header set Strict-Transport-Security max-age=31536000
     </If>
 
-    # Enable CSP unless for HG clients.
-    <Location "/">
-        # bugzilla.mo is for l10n
-        # TODO find out URL for l10n tools needing this and restrict to that.
-        <If "-z env('HG_PROTOCOL')">
-            Header set Content-Security-Policy "default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
-        </If>
+    # Reftest analyzer needs a lot of exceptions to work. Bug 1200501
+    # tracks not hosting it from VCS.
+    #
+    # Mercurial's built-in CSP support doesn't allow to change the policy per
+    # URL. So we special case it and override hgweb's header here.
+    <Location "/mozilla-central/raw-file/tip/layout/tools/reftest/reftest-analyzer.xhtml">
+        Header set Content-Security-Policy "default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
     </Location>
 
-    # Reftest analyzer needs a lot of exceptions to work. Bug 1200501
-    # tracks not hosting it from VCS.
-    <Location "/mozilla-central/raw-file/tip/layout/tools/reftest/reftest-analyzer.xhtml">
-        <If "-z env('HG_PROTOCOL')">
-            Header set Content-Security-Policy "default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
-        </If>
-    </Location>
+    <If "-n env('HG_PROTOCOL')">
+        Header unset Content-Security-Policy
+    </If>
 </VirtualHost>
 
 # Local variables:
 # mode: apache
 # tab-width: 4
 # indent-tabs-mode: nil
 # end:
version-control-tools
Deployed from 4e825768105f at 2024-04-08T16:23:58Z.