ansible/hg-web: use /static/ in script-src CSP policy (bug 1341344); …

…r=sheehan This is a security fix to prevent agents respecting CSP policies from loading scripts that come from content under version control (e.g. from hgweb's /raw-file/ URLs). I really wish CSP had a way to limit to paths via "self" so we didn't have to include the full URL for the server in the CSP policy. But what can you do. Differential Revision: https://phabricator.services.mozilla.com/D10963 --HG-- extra : rebase_source : 1f843fa596e747aeeb0be03de49944aa16ca0228 extra : amend_source : 5e68fda4e01deb63f48b112cbf18ee168d22794a
mozilla · Nov 7, 2018 · eb2598a · eb2598a
1 parent fb2f882
commit eb2598a
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/ansible/roles/hg-web/templates/hgrc.j2 b/ansible/roles/hg-web/templates/hgrc.j2
@@ -28,7 +28,18 @@ guessmime = True
 
 # bugzilla.mo is for l10n tool.
 # TODO find out URL for l10n tools needing this and restrict to that.
-csp = default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' 'nonce-%nonce%'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; frame-ancestors https:
+
+# script-src limits to /static/ and nonce so repository content can't be
+# loaded as scripts. (URLs like /raw-file/ could load JS checked into repos.)
+# CSP doesn't allow "self"-reflected paths - only URLs. In Docker, we don't
+# know what the hostname is. So we use "self" in that environment and a full
+# URL in production.
+
+{% if vct_dir.stat.exists == False %}
+csp = default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src https://hg.mozilla.org/static/ 'nonce-%nonce%'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; frame-ancestors https:
+{% else %}
+csp = default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' https://hg.mozilla.org/static/ 'nonce-%nonce%'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; frame-ancestors https:
+{% endif %}
 
 # We don't allow pushes over HTTP. But if this isn't set, pushing to https://
 # prints a "SSL required" message because the load balancer terminates TLS

diff --git a/hgserver/tests/test-csp.t b/hgserver/tests/test-csp.t
@@ -11,7 +11,7 @@
 CSP header should be present on normal HTTP requests
 
   $ http ${HGWEB_0_URL}mozilla-central/shortlog --header content-security-policy | grep script
-  content-security-policy: default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' 'nonce-*'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; frame-ancestors https: (glob)
+  content-security-policy: default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' https://hg.mozilla.org/static/ 'nonce-*'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; frame-ancestors https: (glob)
   <script type="text/javascript" src="/static/DOCKER/mercurial.js"></script>
   <script type="text/javascript" nonce="*"> (glob)
   </script>