Patchwork D3436: hgweb: allow Content-Security-Policy header on 304 responses (issue5844)

login
register
mail settings
Submitter phabricator
Date May 1, 2018, 12:37 a.m.
Message ID <differential-rev-PHID-DREV-h5arisdchn4fj2mhghns-req@phab.mercurial-scm.org>
Download mbox | patch
Permalink /patch/31249/
State Superseded
Headers show

Comments

phabricator - May 1, 2018, 12:37 a.m.
indygreg created this revision.
Herald added a subscriber: mercurial-devel.
Herald added a reviewer: hg-reviewers.

REVISION SUMMARY
  A side-effect of https://phab.mercurial-scm.org/rHG98baf8dea553430c8093c244dbad8d79f4a23f88 was that the Content-Security-Policy
  header was set on all HTTP responses by default. This header wasn't
  in our list of allowed headers for HTTP 304 responses. This would
  trigger a ProgrammingError when a 304 response was issued via hgwebdir.
  
  This commit adds Content-Security-Policy to the allow list of headers
  for 304 responses so we no longer encounter the error.

REPOSITORY
  rHG Mercurial

REVISION DETAIL
  https://phab.mercurial-scm.org/D3436

AFFECTED FILES
  mercurial/hgweb/request.py
  tests/test-hgweb-csp.t

CHANGE DETAILS




To: indygreg, #hg-reviewers
Cc: mercurial-devel
phabricator - May 3, 2018, 2:10 a.m.
krbullock accepted this revision.
krbullock added a comment.
This revision is now accepted and ready to land.


  Queued, thanks.

REPOSITORY
  rHG Mercurial

REVISION DETAIL
  https://phab.mercurial-scm.org/D3436

To: indygreg, #hg-reviewers, krbullock
Cc: krbullock, mercurial-devel

Patch

diff --git a/tests/test-hgweb-csp.t b/tests/test-hgweb-csp.t
--- a/tests/test-hgweb-csp.t
+++ b/tests/test-hgweb-csp.t
@@ -57,8 +57,8 @@ 
   $ get-with-headers.py --twice --headeronly localhost:$HGPORT repo1/static/style.css content-security-policy
   200 Script output follows
   content-security-policy: script-src https://example.com/ 'unsafe-inline'
-  500 Internal Server Error
-  [1]
+  304 Not Modified
+  content-security-policy: script-src https://example.com/ 'unsafe-inline'
 
 repo page should send CSP by default, include etag w/o nonce
 
diff --git a/mercurial/hgweb/request.py b/mercurial/hgweb/request.py
--- a/mercurial/hgweb/request.py
+++ b/mercurial/hgweb/request.py
@@ -473,6 +473,7 @@ 
                           if k.lower() not in ('date', 'etag', 'expires',
                                                'cache-control',
                                                'content-location',
+                                               'content-security-policy',
                                                'vary')}
             if badheaders:
                 raise error.ProgrammingError(