Switch to Mercurial's built-in CSP support



Developer Services
Mercurial: hg.mozilla.org
9 months ago
6 months ago


(Reporter: gps, Assigned: gps)


(Blocks: 1 bug)


MozReview Requests

Submitter Diff Changes Open Issues Last Updated
Error loading review requests:


(3 attachments)

+++ This bug was initially created as a clone of Bug #1319172 +++

Mercurial 4.1 adds built-in CSP support via the web.csp config option. We should switch from defining CSP in httpd to this.

The main benefit of switching is that we'll no longer need unsafe-inline for scripts, as Mercurial knows how to emit nonces.

However, some hosted content on hg.mozilla.org (such as the reftest analyzer) may also rely on inline content. And it doesn't go through Mercurial's templating layer, so it won't know what nonce to use. We may have to have httpd override the default/Mercurial provided CSP header with a custom one allowing unsafe-inline for specific paths.
Depends on: 1333616
Bug 1333929 will make this a bit harder since we have a special case for reftest analyzer. But, we can continue to overwrite whatever CSP header value hg sets in httpd for reftest analyzer and any other special snowflakes until the snow is melted.
This is now unblocked.
Lemme see if I can crank this out real quick...
Assignee: nobody → gps
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
Good news: we can switch to Mercurial's native CSP easily and nonces work.

Bad news: Mercurial's default templates use inline event handlers on various HTML elements, which CSP disallows unless using unsafe-inline. So, we can't move away from unsafe-inline just yet.

I may hack on upstream patches to remove the inline event handlers. We should be able to backport them to hg.mozilla.org easily (since we maintain a shadow copy of Mercurial's templates and can update them without upgrading Mercurial).

I'll get another bug on file to track unsafe-inline removal explicitly. I think moving the CSP generation to Mercurial is a step in the right direction. So let's get that reviewed and deployed.
Blocks: 1353953
Wait - I may have been misled by Firefox's devtools :|

When I test a local HTTP (not HTTPS) server as such:

  $ hg serve --hgmo --config "web.csp=default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' 'nonce-%nonce%'; style-src 'self' 'unsafe-inline'"

Then load the developer console says the following:

18:38:15.729 Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'nonce-8xyvd8egSN6xqxAWRyZ5qA'”). Source: onsubmit attribute on DIV element. 1 graph

The thing is, there is no "onsubmit" in Mercurial's templates. And the inline JS on that page seems to work fine. Huh. Chrome doesn't report any CSP warnings. I wonder if this is some Firefox add-on injecting content in such a way that it violates the CSP policy. I really wish Firefox's devtools told me which element that JS handler was attached to. Is there a way to search for event handlers in devtools?
Comment hidden (mozreview-request)
I've uploaded the patch to switch to nonces in case glob or someone else wants to experiment.

  $ hg clone https://hg.mozilla.org/hgcustom/version-control-tools
  $ hg serve --config extensions.hgmo=version-control-tools/hgext/hgmo --config "web.csp=..." serve --hgmo
False positive on CSP errors. I blame a Firefox add-on. We should be clear to move forward with this.
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)

Comment 14

6 months ago
Comment on attachment 8855137 [details]
ansible/hg-web: emit CSP header from Mercurial (bug 1333615);

Attachment #8855137 - Flags: review?(glob) → review+

Comment 15

6 months ago
Comment on attachment 8855138 [details]
hgserver: explicitly test for <script> content (bug 1333615);

Attachment #8855138 - Flags: review?(glob) → review+

Comment 16

6 months ago
Comment on attachment 8855139 [details]
ansible/hg-web: use nonce for script-src in CSP (bug 1333615);

Attachment #8855139 - Flags: review?(glob) → review+

Comment 17

6 months ago
Pushed by gszorc@mozilla.com:
ansible/hg-web: emit CSP header from Mercurial ; r=glob
hgserver: explicitly test for <script> content ; r=glob
ansible/hg-web: use nonce for script-src in CSP ; r=glob
Last Resolved: 6 months ago
Resolution: --- → FIXED
And deployed.

https://mozilla.github.io/http-observatory-website/analyze.html?host=hg.mozilla.org now gives us a B rating.
You need to log in before you can comment on or make changes to this bug.