Add HSTS and CSP headers to all services and static files.

Add HSTS and CSP headers to all services and static files.

- The services are not accessible over HTTP anyway.
- Refuse loading anything not over HTTPS and outside of the same-origin through
  CSP.
- Add .woff to supported static files.

Update both *.yaml for static content and AuthenticatingHandler to set these
headers.

References:
  http://www.html5rocks.com/en/tutorials/security/content-security-policy/
  https://www.owasp.org/index.php/Content_Security_Policy
  https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
  https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

R=vadimsh@chromium.org
BUG=swarming:96

Committed: https://code.google.com/p/swarming/source/detail?repo=default&r=4e8ac6b055fcce2e46576a2a73deb23dbc3e25ec

[vadimsh, 2015-02-25 18:06:28]

lgtm

add http_headers to static section in app.yaml too.

See http_headers here
https://cloud.google.com/appengine/docs/python/config/appconfig

[M-A, 2015-02-25 18:47:03]

On 2015/02/25 18:06:28, vadimsh wrote:
> lgtm
> 
> add http_headers to static section in app.yaml too.
> 
> See http_headers here
> https://cloud.google.com/appengine/docs/python/config/appconfig

That gave me the idea of "while at it", I added CSP and more. :) Updated CL
description.

FTR, replication_smoke_test.py was still flaky.

[vadimsh, 2015-02-25 19:07:46]

lgtm

https://codereview.appspot.com/206940043/diff/20001/appengine/components/comp...
File appengine/components/components/auth/handler.py (right):

https://codereview.appspot.com/206940043/diff/20001/appengine/components/comp...
appengine/components/components/auth/handler.py:110:
self.response.headers['Content-Security-Policy'] = (
It affects only Javascript running from within HTML pages, right? The page can
execute JS only loaded from the same app? (The docs are hard to read).

[vadimsh, 2015-02-25 19:21:45]

Can't reproduce replication_smoke_test.py error. Next time it happens, can you
please send me full log (it should dump devserver logs of chrome-infra-auth and
test app on test failure, it usually have some clues).

[M-A, 2015-02-25 20:12:23]

https://codereview.appspot.com/206940043/diff/20001/appengine/components/comp...
File appengine/components/components/auth/handler.py (right):

https://codereview.appspot.com/206940043/diff/20001/appengine/components/comp...
appengine/components/components/auth/handler.py:110:
self.response.headers['Content-Security-Policy'] = (
On 2015/02/25 19:07:46, vadimsh wrote:
> It affects only Javascript running from within HTML pages, right?

I made it to apply to everything.

> The page can execute JS only loaded from the same app? (The docs are hard to
read).

http://www.html5rocks.com/en/tutorials/security/content-security-policy/ is
clearer. I added references.

[vadimsh, 2015-02-25 20:15:16]

lgtm, assuming it works...

[M-A, 2015-02-25 20:23:46]

Committed patchset #4 (id:40002) manually as
4e8ac6b055fcce2e46576a2a73deb23dbc3e25ec (presubmit successful).