yesod-middleware-csp: A middleware for building CSP headers on the fly

This is a package candidate release! Here you can preview how this package release will appear once published to the main package index (which can be accomplished via the 'maintain' link below). Please note that once a package has been published to the main package index it cannot be undone! Please consult the package uploading documentation for more information.

[maintain] [Publish]

Deals with CSP without disabling it. This is done by overriding the default yesod provided addScript functionalities and adding a nonce to the tag, and the right headers to the request.

[Skip to Readme]

Properties

Versions	1.0.0, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.2.0
Change log	None available
Dependencies	base (>=4 && <5), base64-bytestring, bytestring (>=0.9 && <0.11), classy-prelude (>=0.10.2), conduit, containers, directory, filepath, http-client, network-uri, template-haskell, text, time, uuid, yesod (>=1.6.0), yesod-core (>=1.6.15), yesod-static (>=1.6 && <1.7) [details]
License	MIT
Author	Jezen Thomas <jezen@riskbook.com>
Maintainer	Jezen Thomas <jezen@riskbook.com>
Category	Web, Yesod
Uploaded	by Jappie at 2022-07-12T10:07:56Z

Modules

[Index] [Quick Jump]

Yesod
- Middleware
  - Yesod.Middleware.CSP

Downloads

yesod-middleware-csp-1.0.0.tar.gz [browse] (Cabal source package)
Package description (as included in the package)

Maintainer's Corner

Package maintainers

Jappie, jgt, Valeri

For package maintainers and hackage trustees

edit package information

Readme for yesod-middleware-csp-1.0.0

[back to package description]

yesod-middleware-csp

Deals with CSP without disabling it. This is done by overriding the default yesod provided addScript functionalities and adding a nonce to the tag, and the right headers to the request.

Usage

Because there is no good way of enforcing CSP at typelevel in yesod, It's best to override classy prelude with your own custom prelude. This allows hiding the addScript functions from there with the ones provided by this library:


-- | Mirrors classy prelude yesod but with our supercede patches
module Supercede.Prelude.Yesod
  ( -- * rexport
    module X
  -- ** use CSP variant instead of yesod's
  , addScriptEither
  , addScript
  , addScriptRemote
  ) where

import Supercede.Prelude as X hiding (delete, deleteBy, Handler (..))
import Yesod as X hiding (addScriptEither, addScript, addScriptRemote, addScriptAttrs, addScriptRemoteAttrs)

import Yesod.Middleware.CSP (addScriptEither, addScript, addScriptRemote)

Then in hlint you can simply dis-recommend usage of classy prelude:

- modules:
  - {name: [ClassyPrelude], message: "Use Supercede.Prelude instead"}
  - {name: [ClassyPrelude.Yesod], message: "Use Supercede.Prelude.Yesod instead"}

How to run tests

cabal configure --enable-tests && cabal build && cabal test

Contributing

PR's are welcome.