ansible/hg-web: add https://taskcluster-artifacts.net/ to CSP policy (
bug 1370952); r?fubar, sheehan
This is the CloudFront hostname for TaskCluster public artifacts and
replaces https://public-artifacts.taskcluster.net/ (the latter
redirects now).
MozReview-Commit-ID: 4zeuDCAYukz
--- a/ansible/roles/hg-web/templates/vhost.conf.j2
+++ b/ansible/roles/hg-web/templates/vhost.conf.j2
@@ -93,17 +93,17 @@ LimitRequestFields 1000
</If>
# Reftest analyzer needs a lot of exceptions to work. Bug 1200501
# tracks not hosting it from VCS.
#
# Mercurial's built-in CSP support doesn't allow to change the policy per
# URL. So we special case it and override hgweb's header here.
<Location "/mozilla-central/raw-file/tip/layout/tools/reftest/reftest-analyzer.xhtml">
- Header set Content-Security-Policy "default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; frame-ancestors https:"
+ Header set Content-Security-Policy "default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/ https://taskcluster-artifacts.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; frame-ancestors https:"
</Location>
<If "-n env('HG_PROTOCOL')">
Header unset Content-Security-Policy
</If>
</VirtualHost>
# Local variables:
--- a/hgserver/tests/test-csp.t
+++ b/hgserver/tests/test-csp.t
@@ -31,18 +31,18 @@ CSP header absent if both conditions are
$ http ${HGWEB_0_URL}mozilla-central?cmd=capabilities --agent 'mercurial/proto-1.0' --no-body --header content-security-policy
200
reftest analyzer is a special snowflake
$ http ${HGWEB_0_URL}mozilla-central/raw-file/tip/layout/tools/reftest/reftest-analyzer.xhtml --no-body --header content-security-policy
200
- content-security-policy: default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; frame-ancestors https:
+ content-security-policy: default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/ https://taskcluster-artifacts.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; frame-ancestors https:
$ http "${HGWEB_0_URL}mozilla-central/raw-file/tip/layout/tools/reftest/reftest-analyzer.xhtml#logurl=https://queue.taskcluster.net/v1/task/KQYN-Sa9TBmXR3m8GaXXwg/runs/0/artifacts/public/logs/live_backing.log&only_show_unexpected=1" --no-body --header content-security-policy
200
- content-security-policy: default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; frame-ancestors https:
+ content-security-policy: default-src 'none'; connect-src 'self' https://archive.mozilla.org/ https://public-artifacts.taskcluster.net/ https://queue.taskcluster.net/ https://taskcluster-artifacts.net/; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; frame-ancestors https:
No CSP if HG user-agent
$ http ${HGWEB_0_URL}mozilla-central/raw-file/tip/layout/tools/reftest/reftest-analyzer.xhtml --agent 'mercurial/proto-1.0' --no-body --header content-security-policy
200