Content-Security-Policy (CSP) is a web security feature that allows
servers to declare what loaded content is allowed to do. For example,
a policy can prevent loading of images, JavaScript, CSS, etc unless
the source of that content is whitelisted (by hostname, URI scheme,
hashes of content, etc). It's a nifty security feature that provides
extra mitigation against some attacks, notably XSS.
Mitigation against these attacks is important for Mercurial because
hgweb renders repository data, which is commonly untrusted. While we
make attempts to escape things, etc, there's the possibility that
malicious data could be injected into the site content. If this happens
today, the full power of the web browser is available to that
malicious content. A restrictive CSP policy (defined by the server
operator and sent in an HTTP header which is outside the control of
malicious content), could restrict browser capabilities and mitigate
security problems posed by malicious data.
CSP works by emitting an HTTP header declaring the policy that browsers
should apply. Ideally, this header would be emitted by a layer above
Mercurial (likely the HTTP server doing the WSGI "proxying"). This
works for some CSP policies, but not all.
For example, policies to allow inline JavaScript may require setting
a "nonce" attribute on <script>. This attribute value must be unique
and non-guessable. And, the value must be present in the HTTP header
and the HTML body. This means that coordinating the value between
Mercurial and another HTTP server could be difficult: it is much
easier to generate and emit the nonce in a central location.
This commit introduces support for emitting a
Content-Security-Policy header from hgweb. A config option defines
the header value. If present, the header is emitted. A special
"%nonce%" syntax in the value triggers generation of a nonce and
inclusion in <script> elements in templates. The inclusion of a
nonce does not occur unless "%nonce%" is present. This makes this
commit completely backwards compatible and the feature opt-in.
The nonce is a type 4 UUID, which is the flavor that is randomly
generated. It has 122 random bits, which should be plenty to satisfy
the guarantees of a nonce.
All the hgweb templates include mercurial.js in their header. All
the hgweb templates have the same <script> boilerplate to run
process_dates(). This patch factors that function call into
mercurial.js as part of a DOMContentLoaded event listener.
Every other template has the "raw" link load "raw-file." However,
fileannotate.tmpl's "raw" link loads "raw-annotate." This feels
inconsistent and wrong.
As far as I can tell, linking to the "raw annotate" view has occurred
since 2006.
The link is embedded into a div with class="annotate-info" that only shows up
upon hover of the annotate column. To avoid duplicate hover-overs (this new
one and the one coming from link's title), drop "title" attribute from a
element and put it in the annotate-info element.
I.e. when a revision blames a block of source lines, only display the
revision link on the first line of the block (this is identified by the
"blockhead" key in annotate context).
This addresses item "Visual grouping of changesets" of the blame improvements
plan (https://www.mercurial-scm.org/wiki/BlamePlan) which states: "Typically
there are block of lines all attributed to the same revision. Instead of
rendering the revision/changeset for every line, we could only render it once
per block."
* Distinguish the /annotate/<revision>/<file>#<linenumber> link when it would
lead to the current page (i.e. <revision> is the current revision) (style it
gray and undecorated). This indicates more clearly that this is a "dead-end"
in blame navigation.
* Display lines changed in current revision in green.
Before this patch, template files for "graph" web page use fixed width
size "480" for canvas element.
This causes pruned lanes and invisible vertexes, if there are 16 or
more vertical lanes at once. In such case, part of graph in right side
area over 480 is invisible, even though corresponded summary text
blocks are visible correctly.
This limitation isn't reasonable for workflow using many branches at
once (e.g. "one branch per issue" workflow).
There were changes below related to width of canvas:
- 6c855f5350cd (templates: widen the graph canvas (issue2683)),
released as a part of Mercurial 1.8.2
According to the description, this assumed that 15 parallel
branches was enough for ordinary workflow, and bumped width of
canvas up from 224 to 480.
- f5506d2a674c (hgweb: make graph data suitable for template usage),
released as a part of Mercurial 2.3
This introduced "canvaswidth" template keyword as a part of
refactoring around graph rendering.
But 'width="480"' of canvas element in template files wasn't
replaced by 'width="{canvaswidth}"' in it (or subsequent one).
This patch uses dynamic value "{canvaswidth}" instead of fixed width
size "480" for canvas element.
This is posted for "stable", because:
- this is re-fixing issue2683
- this is simple enough for stable
- using "{canvaswidth}" doesn't require any additional cost
Calculation of canvaswidth is already implied as a part of "graph"
web command.
Currently, the "helptopics" template assumes it is only used as the
main index and therefore doesn't hyperlink "help" in the navigation
list. Sub-topics will introduce an additional consumer of this
template. So teach the template to hyperlink the "help" navigation
entry when necessary.
In order to support sub-topics, we need to support linking to a full
topic name while displaying the base topic name. Change the {helpentry}
template to grab the display name from an optional seperate variable
(which will be defined in a future patch).
We now have sub-topics in the help system. The "helptopics" template
serves as a mechanism for displaying an index of help topics.
Previously, it was only used to show the top-level list of help topics,
which includes special groupings of topics.
In the near future, we'll adapt "helptopics" for showing the index
of sub-topics. In this patch, we optionally render {earlycommands} and
{othercommands} since they aren't present on sub-topics.
Due to how the line links now reside outside of the source lines, hovering over
line numbers doesn't count as hovering over the appropriate source line. It can
be worked around by using a "+" css selector. However, it's necessary to
reorder the elements and put <a> before <span> (which is actually quite
logical). It works without further css tweaks because <a> is already
absolute-positioned and so the order doesn't matter visually.
This is adapted from 635285e0a942, that was added to paper for 3.5 release.
It adds another way to refer to branches, tags and bookmarks in urls: by name.
It's still possible to navigate to a specific changeset hash, but now you can
get more descriptive urls straight from /summary page, for example.
branchentry template (and so the whole branches table on /summary and
/branches) lost the column that had a plain changeset hash, because tags and
bookmarks don't have this column and also because there is already a way to
address branch by its changeset hash (changeset link just next to it). Maybe we
can instead bring this column with a plain changeset hash to tags and
bookmarks, but this, more terse, new look feels fine.
This is adapted from 0609781075c1.
It also fixes issue4790 in monoblue; tab characters now have meaningful width on
the modified pages (file view, file diff, changeset).
"Tags" and "Bookmarks" sections on this page already have the similar links,
and so does the "Branches" on summary page in gitweb, so let's do the same in
monoblue.
Index page, which shows the list of available repositories, has a column where
the last modification date for each repo is shown. paper, coal and spartan
already show the dates in relative format (e.g. "2 weeks ago"), because these
styles have the required process_dates() js function call in their footer
templates, which are included on every page. But monoblue and gitweb styles
have more things in the footer templates, such as repo name and its atom/rss
links, so they don't include the footer on index page (as this page doesn't
have a single repo context).
Let's call process_dates() without including the footer.
In 064b658181dd, age calculation was made dynamic (i.e. in javascript), but for
some reason bookmarkentry template in monoblue/map got a wrong class. It
resulted in /summary and /bookmarks pages always showing exact dates for
bookmarks, no age calculation was performed. Let's fix this by using "age"
class that is already used in branchentry and tagentry templates in the same
map file.
As usual, the exact date for such elements is still available in title
attribute, so it shows in a tooltip on hover.
Since f9c487618909 and 9d5bd0e29076, when monoblue was introduced, the code
this patch removes was untouched. Presumably, there supposed to be nice
graphics in the screen corners, but there never were due to:
- the css being commented out
- ids of the elements and of the css selectors being different
- and the png files absent
The "corner" elements were unstyled and didn't affect the rest of the page, so
I think it's safe to remove all this.
Let's make monoblue templates use symbolic revision in navigation links.
The majority of links (log, filelog, annotate, etc) still use node hashes.
Some pages don't have permanent links to current node hash (so it's not very
easy to go from /rev/tip to /rev/<tip hash>), this will be addressed in future
patches.
Some pages, e.g. bookmarks, help and summary don't have a meaningful revision
context: they always either show information about tip or about the whole repo
(and not about any specific changeset). And error pages can just show hgweb
error messages, not related to any repo or changeset.
Having a hash in the links worked (even when '{node|short}' resolved to an
empty string on error pages), but seeing pages without revision context provide
links with hashes is a bit confusing (unless you keep current tip hash in your
head at all times) and not consistent with other template styles and other
links on the same page: they don't have a hash.
Let's just link to '/file', which is equal to '/file/tip'.
Some pages, e.g. bookmarks, help and summary don't have a meaningful revision
context: they always either show information about tip or about the whole repo
(and not about any specific changeset). And error pages can just show hgweb
error messages, not related to any repo or changeset.
When monoblue style was added in f9c487618909, however, all graph links had
tried to point at some hash, and on such pages as described above it didn't
make sense. On error pages '{node|short}' is empty string anyway.
Of course, it worked, but seeing such pages without revision context provide
links with hashes is a bit confusing (unless you keep current tip hash in your
head at all times) and wasn't consistent with other template styles, other
pages in monoblue and even other links on the same page.
Let's just link to '/graph', which is equal to '/graph/tip'.
The ability to "skip" a chain of empty directories in hgweb was added in
5c045b277096, but monoblue style wasn't updated.
This block is copied from gitweb/map file and just works.
This will ease future patches for the templates.
As a result of this patch, paper style has one visual change in
log/shortlog/file log view: the spacing between commit message and the first
tag (or branch name, or bookmark) is now roughly who spaces wide instead of one
space wide. This spacing is consistent with the one between branch
names/tags/bookmarks themselves, so it looks better.
In gitweb style, the change from non-breakable space to regular space is
consistent with other elements.
In monoblue the change is not noticeable.
There's a "p.changeset-age span" css block in style-monoblue.css with quite a
bit of rules, including position. They were all unused, since there weren't
matching span element inside the p.changeset-age.
The span was removed in 064b658181dd (as it seemed meaningless at the time?)
and since then relative changeset age text looked weird and broken.
"age" class is used for calculating relative changeset age in javascript: all
content of such element is replaced with human-friendly text (e.g.
"yesterday"). So the new span gets the age class.
