Switch to Mercurial's built-in CSP support

RESOLVED FIXED

Status

Developer Services
Mercurial: hg.mozilla.org
RESOLVED FIXED
9 months ago
6 months ago

People

(Reporter: gps, Assigned: gps)

Tracking

(Blocks: 1 bug)

Details

MozReview Requests

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(3 attachments)

+++ This bug was initially created as a clone of Bug #1319172 +++

Mercurial 4.1 adds built-in CSP support via the web.csp config option. We should switch from defining CSP in httpd to this.

The main benefit of switching is that we'll no longer need unsafe-inline for scripts, as Mercurial knows how to emit nonces.

However, some hosted content on hg.mozilla.org (such as the reftest analyzer) may also rely on inline content. And it doesn't go through Mercurial's templating layer, so it won't know what nonce to use. We may have to have httpd override the default/Mercurial provided CSP header with a custom one allowing unsafe-inline for specific paths.
Depends on: 1333616
Bug 1333929 will make this a bit harder since we have a special case for reftest analyzer. But, we can continue to overwrite whatever CSP header value hg sets in httpd for reftest analyzer and any other special snowflakes until the snow is melted.
This is now unblocked.
Lemme see if I can crank this out real quick...
Assignee: nobody → gps
Status: NEW → ASSIGNED
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
Good news: we can switch to Mercurial's native CSP easily and nonces work.

Bad news: Mercurial's default templates use inline event handlers on various HTML elements, which CSP disallows unless using unsafe-inline. So, we can't move away from unsafe-inline just yet.

I may hack on upstream patches to remove the inline event handlers. We should be able to backport them to hg.mozilla.org easily (since we maintain a shadow copy of Mercurial's templates and can update them without upgrading Mercurial).

I'll get another bug on file to track unsafe-inline removal explicitly. I think moving the CSP generation to Mercurial is a step in the right direction. So let's get that reviewed and deployed.
Blocks: 1353953
Wait - I may have been misled by Firefox's devtools :|

When I test a local HTTP (not HTTPS) server as such:

  $ hg serve --hgmo --config "web.csp=default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' 'nonce-%nonce%'; style-src 'self' 'unsafe-inline'"

Then load http://10.251.30.244:8000/graph the developer console says the following:

18:38:15.729 Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src http://10.251.30.244:8000 'nonce-8xyvd8egSN6xqxAWRyZ5qA'”). Source: onsubmit attribute on DIV element. 1 graph

The thing is, there is no "onsubmit" in Mercurial's templates. And the inline JS on that page seems to work fine. Huh. Chrome doesn't report any CSP warnings. I wonder if this is some Firefox add-on injecting content in such a way that it violates the CSP policy. I really wish Firefox's devtools told me which element that JS handler was attached to. Is there a way to search for event handlers in devtools?
Comment hidden (mozreview-request)
I've uploaded the patch to switch to nonces in case glob or someone else wants to experiment.

  $ hg clone https://hg.mozilla.org/hgcustom/version-control-tools
  $ hg serve --config extensions.hgmo=version-control-tools/hgext/hgmo --config "web.csp=..." serve --hgmo
False positive on CSP errors. I blame a Firefox add-on. We should be clear to move forward with this.
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)

Comment 14

6 months ago
mozreview-review
Comment on attachment 8855137 [details]
ansible/hg-web: emit CSP header from Mercurial (bug 1333615);

https://reviewboard.mozilla.org/r/127016/#review132014
Attachment #8855137 - Flags: review?(glob) → review+

Comment 15

6 months ago
mozreview-review
Comment on attachment 8855138 [details]
hgserver: explicitly test for <script> content (bug 1333615);

https://reviewboard.mozilla.org/r/127018/#review132348
Attachment #8855138 - Flags: review?(glob) → review+

Comment 16

6 months ago
mozreview-review
Comment on attachment 8855139 [details]
ansible/hg-web: use nonce for script-src in CSP (bug 1333615);

https://reviewboard.mozilla.org/r/127020/#review132350
Attachment #8855139 - Flags: review?(glob) → review+

Comment 17

6 months ago
Pushed by gszorc@mozilla.com:
https://hg.mozilla.org/hgcustom/version-control-tools/rev/ffb95353c3f1
ansible/hg-web: emit CSP header from Mercurial ; r=glob
https://hg.mozilla.org/hgcustom/version-control-tools/rev/f836f41d4e78
hgserver: explicitly test for <script> content ; r=glob
https://hg.mozilla.org/hgcustom/version-control-tools/rev/fb6202dbcb4a
ansible/hg-web: use nonce for script-src in CSP ; r=glob
Status: ASSIGNED → RESOLVED
Last Resolved: 6 months ago
Resolution: --- → FIXED
And deployed.

https://mozilla.github.io/http-observatory-website/analyze.html?host=hg.mozilla.org now gives us a B rating.
You need to log in before you can comment on or make changes to this bug.