hgserver: explicitly test for <script> content (
bug 1333615); r?glob
In preparation for adding a nonce, let's tweak the test so we can
demonstrate change in behavior.
MozReview-Commit-ID: 5f3C2cTH1av
--- a/hgserver/tests/test-csp.t
+++ b/hgserver/tests/test-csp.t
@@ -3,19 +3,21 @@
$ . $TESTDIR/hgserver/tests/helpers.sh
$ hgmoenv
$ hgmo create-repo mozilla-central scm_level_3
(recorded repository creation in replication log)
CSP header should be present on normal HTTP requests
- $ http ${HGWEB_0_URL}mozilla-central --no-body --header content-security-policy
- 200
+ $ http ${HGWEB_0_URL}mozilla-central/shortlog --header content-security-policy | grep script
content-security-policy: default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'
+ <script type="text/javascript" src="/mozilla-central/static/mercurial.js"></script>
+ <script type="text/javascript">
+ </script>
CSP header absent on protocol requests
$ http ${HGWEB_0_URL}mozilla-central?cmd=capabilities --no-body --header content-security-policy
200
CSP header absent from Mercurial user agents