ansible/hg-web: add "frame-ancestors: https:" to CSP (
bug 1336590); r?fubar
This effectively prevents framing from non-https sites. While we
could prohibit framing from all sites, there may be someone out
there who frames us. We shouldn't have any sensitive data to leak
via frames, so I'm inclined to allow framing to continue until there
is a real security concern.
MozReview-Commit-ID: KbshP4Vsbx8
--- a/ansible/roles/hg-web/files/hgrc
+++ b/ansible/roles/hg-web/files/hgrc
@@ -16,17 +16,17 @@ allow_archive = bz2 gz zip
templates = /repo_local/mozilla/hg_templates/
encoding = UTF-8
baseurl = https://hg.mozilla.org/
maxchanges = 20
guessmime = True
# bugzilla.mo is for l10n tool.
# TODO find out URL for l10n tools needing this and restrict to that.
-csp = default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' 'nonce-%nonce%'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests
+csp = default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' 'nonce-%nonce%'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; frame-ancestors: https:
# We don't allow pushes over HTTP. But if this isn't set, pushing to https://
# prints a "SSL required" message because the load balancer terminates TLS
# and Mercurial thinks SSL isn't being used.
push_ssl = false
# Pygments does content based analysis to determine the language for
# unknown file extensions. Unfortunately, it is overly aggressive about
--- a/ansible/roles/hg-web/templates/vhost.conf.j2
+++ b/ansible/roles/hg-web/templates/vhost.conf.j2
@@ -93,17 +93,17 @@ LimitRequestFields 1000
</If>
# Reftest analyzer needs a lot of exceptions to work. Bug 1200501
# tracks not hosting it from VCS.
#
# Mercurial's built-in CSP support doesn't allow to change the policy per
# URL. So we special case it and override hgweb's header here.
<Location "/mozilla-central/raw-file/tip/layout/tools/reftest/reftest-analyzer.xhtml">
- Header set Content-Security-Policy "default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests"
+ Header set Content-Security-Policy "default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; frame-ancestors: https:"
</Location>
<If "-n env('HG_PROTOCOL')">
Header unset Content-Security-Policy
</If>
</VirtualHost>
# Local variables:
--- a/hgserver/tests/test-csp.t
+++ b/hgserver/tests/test-csp.t
@@ -4,17 +4,17 @@
$ hgmoenv
$ hgmo create-repo mozilla-central scm_level_3
(recorded repository creation in replication log)
CSP header should be present on normal HTTP requests
$ http ${HGWEB_0_URL}mozilla-central/shortlog --header content-security-policy | grep script
- content-security-policy: default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' 'nonce-*'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests (glob)
+ content-security-policy: default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' 'nonce-*'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; frame-ancestors: https: (glob)
<script type="text/javascript" src="/mozilla-central/static/mercurial.js"></script>
<script type="text/javascript" nonce="*"> (glob)
</script>
CSP header absent on protocol requests
$ http ${HGWEB_0_URL}mozilla-central?cmd=capabilities --no-body --header content-security-policy
200
@@ -31,18 +31,18 @@ CSP header absent if both conditions are
$ http ${HGWEB_0_URL}mozilla-central?cmd=capabilities --agent 'mercurial/proto-1.0' --no-body --header content-security-policy
200
reftest analyzer is a special snowflake
$ http ${HGWEB_0_URL}mozilla-central/raw-file/tip/layout/tools/reftest/reftest-analyzer.xhtml --no-body --header content-security-policy
200
- content-security-policy: default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests
+ content-security-policy: default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; frame-ancestors: https:
$ http "${HGWEB_0_URL}mozilla-central/raw-file/tip/layout/tools/reftest/reftest-analyzer.xhtml#logurl=https://queue.taskcluster.net/v1/task/KQYN-Sa9TBmXR3m8GaXXwg/runs/0/artifacts/public/logs/live_backing.log&only_show_unexpected=1" --no-body --header content-security-policy
200
- content-security-policy: default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests
+ content-security-policy: default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; frame-ancestors: https:
No CSP if HG user-agent
$ http ${HGWEB_0_URL}mozilla-central/raw-file/tip/layout/tools/reftest/reftest-analyzer.xhtml --agent 'mercurial/proto-1.0' --no-body --header content-security-policy
200