diff -r eb7de21b15be -r d7bf7d2bd5ab mercurial/hgweb/hgweb_mod.py --- a/mercurial/hgweb/hgweb_mod.py Tue Jan 10 20:47:48 2017 -0800 +++ b/mercurial/hgweb/hgweb_mod.py Tue Jan 10 23:37:08 2017 -0800 @@ -19,6 +19,7 @@ HTTP_OK, HTTP_SERVER_ERROR, caching, + cspvalues, permhooks, ) from .request import wsgirequest @@ -115,6 +116,8 @@ # of the request. self.websubtable = app.websubtable + self.csp, self.nonce = cspvalues(self.repo.ui) + # Trust the settings from the .hg/hgrc files by default. def config(self, section, name, default=None, untrusted=True): return self.repo.ui.config(section, name, default, @@ -201,6 +204,7 @@ 'sessionvars': sessionvars, 'pathdef': makebreadcrumb(req.url), 'style': style, + 'nonce': self.nonce, } tmpl = templater.templater.frommapfile(mapfile, filters={'websub': websubfilter}, @@ -318,6 +322,13 @@ encoding.encoding = rctx.config('web', 'encoding', encoding.encoding) rctx.repo.ui.environ = req.env + if rctx.csp: + # hgwebdir may have added CSP header. Since we generate our own, + # replace it. + req.headers = [h for h in req.headers + if h[0] != 'Content-Security-Policy'] + req.headers.append(('Content-Security-Policy', rctx.csp)) + # work with CGI variables to create coherent structure # use SCRIPT_NAME, PATH_INFO and QUERY_STRING as well as our REPO_NAME @@ -414,7 +425,9 @@ req.form['cmd'] = [tmpl.cache['default']] cmd = req.form['cmd'][0] - if rctx.configbool('web', 'cache', True): + # Don't enable caching if using a CSP nonce because then it wouldn't + # be a nonce. + if rctx.configbool('web', 'cache', True) and not rctx.nonce: caching(self, req) # sets ETag header or raises NOT_MODIFIED if cmd not in webcommands.__all__: msg = 'no such method: %s' % cmd