| Safe Haskell | None |
|---|---|
| Language | Haskell2010 |
Yesod.Middleware.CSP
Description
Deals with CSP without disabling it. This is done by overriding the default yesod provided addScript functionalities and adding a nonce to the tag, and the right headers to the request.
Synopsis
- data CombineSettings = CombineSettings {
- csStaticDir :: FilePath
- csCssPostProcess :: [FilePath] -> ByteString -> IO ByteString
- csJsPostProcess :: [FilePath] -> ByteString -> IO ByteString
- csCssPreProcess :: Text -> IO Text
- csJsPreProcess :: Text -> IO Text
- csCombinedFolder :: FilePath
- newtype CSPNonce = CSPNonce {
- unCSPNonce :: Text
- data Directive
- data Source
- = Wildcard
- | None
- | Self
- | DataScheme
- | BlobScheme
- | Host Text
- | Https
- | Http
- | UnsafeInline
- | UnsafeEval
- | StrictDynamic
- | Nonce Text
- addCSP :: MonadWidget m => Directive -> Source -> m ()
- addCSPMiddleware :: HandlerFor m a -> HandlerFor m a
- addScript :: MonadWidget m => Route (HandlerSite m) -> m ()
- addScriptEither :: MonadWidget m => Either (Route (HandlerSite m)) Text -> m ()
- addScriptRemote :: MonadWidget m => Text -> m ()
- combineScripts' :: Bool -> CombineSettings -> Name -> [Route Static] -> Q Exp
- combineStylesheets' :: Bool -> CombineSettings -> Name -> [Route Static] -> Q Exp
- getRequestNonce :: MonadHandler m => m CSPNonce
Documentation
data CombineSettings Source #
Constructors
| CombineSettings | |
Fields
| |
Constructors
| CSPNonce | |
Fields
| |
Constructors
| DefaultSrc | |
| StyleSrc | |
| ScriptSrc | |
| ObjectSrc | |
| ImgSrc | |
| FontSrc | |
| ConnectSrc | |
| MediaSrc | |
| FrameSrc | |
| FormAction | |
| FrameAncestors | |
| BaseURI | |
| ReportURI |
Instances
| Eq Directive Source # | |
| Ord Directive Source # | |
| Show Directive Source # | |
Constructors
| Wildcard | |
| None | |
| Self | |
| DataScheme | |
| BlobScheme | |
| Host Text | |
| Https | |
| Http | |
| UnsafeInline | |
| UnsafeEval | |
| StrictDynamic | |
| Nonce Text |
addCSP :: MonadWidget m => Directive -> Source -> m () Source #
Add a directive to the current Content-Security Policy
addCSPMiddleware :: HandlerFor m a -> HandlerFor m a Source #
addScript :: MonadWidget m => Route (HandlerSite m) -> m () Source #
Add a local JavaScript asset to the widget
This is intended to a be a drop-in replacement for
Yesod.Core.Widget.addScript. It takes the nonce generated for the current
request and embeds it as an HTML attribute in the script tag.
addScriptEither :: MonadWidget m => Either (Route (HandlerSite m)) Text -> m () Source #
addScriptRemote :: MonadWidget m => Text -> m () Source #
Add a remote JavaScript asset to the widget
The same notes for addScript apply here.
Arguments
| :: Bool | development? if so, perform no combining |
| -> CombineSettings | |
| -> Name | Static route constructor name, e.g. 'StaticR |
| -> [Route Static] | files to combine |
| -> Q Exp |
Combine multiple JS files together
Arguments
| :: Bool | development? if so, perform no combining |
| -> CombineSettings | |
| -> Name | Static route constructor name, e.g. 'StaticR |
| -> [Route Static] | files to combine |
| -> Q Exp |
Combine multiple CSS files together
getRequestNonce :: MonadHandler m => m CSPNonce Source #
Get a nonce for the request
CSP nonces must be unique per request, but they do not need to be unique
amongst themselves. This function checks the per-request cache to see if we
have already generated a nonce. If we have, we use the cached value. If this
is the first call to this function for the request, we generate a new
CSPNonce by base64-encoding a UUIDV4 value.
n.b. It is not important to use a high-quality random value to generate the
nonce, but Data.UUID.V4.nextRandom just happens to be faster than
System.Random.randomIO.