Safe Haskell	Safe-Inferred
Language	Haskell2010

Yesod.Middleware.CSP

Description

Deals with CSP without disabling it. This is done by overriding the default yesod provided addScript functionalities and adding a nonce to the tag, and the right headers to the request.

Synopsis

data CombineSettings = CombineSettings {
- csStaticDir :: FilePath
- csCssPostProcess :: [FilePath] -> ByteString -> IO ByteString
- csJsPostProcess :: [FilePath] -> ByteString -> IO ByteString
- csCssPreProcess :: Text -> IO Text
- csJsPreProcess :: Text -> IO Text
- csCombinedFolder :: FilePath
}
newtype CSPNonce = CSPNonce {
- unCSPNonce :: Text
}
data Directive
- = DefaultSrc
- | StyleSrc
- | ScriptSrc
- | ObjectSrc
- | ImgSrc
- | FontSrc
- | ConnectSrc
- | MediaSrc
- | FrameSrc
- | FormAction
- | FrameAncestors
- | BaseURI
- | ReportURI
- | ManifestSrc
data Source
- = Wildcard
- | None
- | Self
- | DataScheme
- | BlobScheme
- | Host Text
- | Https
- | Http
- | UnsafeInline
- | UnsafeEval
- | StrictDynamic
- | Nonce Text
addCSP :: MonadWidget m => Directive -> Source -> m ()
addCSPMiddleware :: HandlerFor m a -> HandlerFor m a
addScript :: MonadWidget m => Route (HandlerSite m) -> m ()
addScriptAttrs :: MonadWidget m => Route (HandlerSite m) -> [(Text, Text)] -> m ()
addScriptEither :: MonadWidget m => Either (Route (HandlerSite m)) Text -> m ()
addScriptRemote :: MonadWidget m => Text -> m ()
addScriptRemoteAttrs :: MonadWidget m => Text -> [(Text, Text)] -> m ()
combineScripts' :: Bool -> CombineSettings -> Name -> [Route Static] -> Q Exp
combineStylesheets' :: Bool -> CombineSettings -> Name -> [Route Static] -> Q Exp
getRequestNonce :: MonadHandler m => m CSPNonce

Documentation

data CombineSettings Source #

Constructors

CombineSettings

Fields

csStaticDir :: FilePath
File path containing static files.
csCssPostProcess :: [FilePath] -> ByteString -> IO ByteString
Post processing to be performed on CSS files.
csJsPostProcess :: [FilePath] -> ByteString -> IO ByteString
Post processing to be performed on Javascript files.
csCssPreProcess :: Text -> IO Text
Pre-processing to be performed on CSS files.
csJsPreProcess :: Text -> IO Text
Pre-processing to be performed on Javascript files.
csCombinedFolder :: FilePath
Subfolder to put combined files into.

newtype CSPNonce Source #

Constructors

CSPNonce
Fields unCSPNonce :: Text

Instances

Instances details

Eq CSPNonce Source #
Instance details Defined in Yesod.Middleware.CSP Methods (==) :: CSPNonce -> CSPNonce -> Bool # (/=) :: CSPNonce -> CSPNonce -> Bool #
Ord CSPNonce Source #
Instance details Defined in Yesod.Middleware.CSP Methods compare :: CSPNonce -> CSPNonce -> Ordering # (<) :: CSPNonce -> CSPNonce -> Bool # (<=) :: CSPNonce -> CSPNonce -> Bool # (>) :: CSPNonce -> CSPNonce -> Bool # (>=) :: CSPNonce -> CSPNonce -> Bool # max :: CSPNonce -> CSPNonce -> CSPNonce # min :: CSPNonce -> CSPNonce -> CSPNonce #

data Directive Source #

Constructors

DefaultSrc
StyleSrc
ScriptSrc
ObjectSrc
ImgSrc
FontSrc
ConnectSrc
MediaSrc
FrameSrc
FormAction
FrameAncestors
BaseURI
ReportURI
ManifestSrc

Instances

Instances details

Show Directive Source #
Instance details Defined in Yesod.Middleware.CSP Methods showsPrec :: Int -> Directive -> ShowS # show :: Directive -> String # showList :: [Directive] -> ShowS #
Eq Directive Source #
Instance details Defined in Yesod.Middleware.CSP Methods (==) :: Directive -> Directive -> Bool # (/=) :: Directive -> Directive -> Bool #
Ord Directive Source #
Instance details Defined in Yesod.Middleware.CSP Methods compare :: Directive -> Directive -> Ordering # (<) :: Directive -> Directive -> Bool # (<=) :: Directive -> Directive -> Bool # (>) :: Directive -> Directive -> Bool # (>=) :: Directive -> Directive -> Bool # max :: Directive -> Directive -> Directive # min :: Directive -> Directive -> Directive #

data Source Source #

Constructors

Wildcard
None
Self
DataScheme
BlobScheme
Host Text
Https
Http
UnsafeInline
UnsafeEval
StrictDynamic
Nonce Text

Instances

Instances details

IsString Source Source #
Instance details Defined in Yesod.Middleware.CSP Methods fromString :: String -> Source #
Show Source Source #
Instance details Defined in Yesod.Middleware.CSP Methods showsPrec :: Int -> Source -> ShowS # show :: Source -> String # showList :: [Source] -> ShowS #
Eq Source Source #
Instance details Defined in Yesod.Middleware.CSP Methods (==) :: Source -> Source -> Bool # (/=) :: Source -> Source -> Bool #
Ord Source Source #
Instance details Defined in Yesod.Middleware.CSP Methods compare :: Source -> Source -> Ordering # (<) :: Source -> Source -> Bool # (<=) :: Source -> Source -> Bool # (>) :: Source -> Source -> Bool # (>=) :: Source -> Source -> Bool # max :: Source -> Source -> Source # min :: Source -> Source -> Source #

addCSP :: MonadWidget m => Directive -> Source -> m () Source #

Add a directive to the current Content-Security Policy

addCSPMiddleware :: HandlerFor m a -> HandlerFor m a Source #

addScript :: MonadWidget m => Route (HandlerSite m) -> m () Source #

Add a local JavaScript asset to the widget

This is intended to a be a drop-in replacement for Yesod.Core.Widget.addScript. It takes the nonce generated for the current request and embeds it as an HTML attribute in the script tag.

addScriptAttrs :: MonadWidget m => Route (HandlerSite m) -> [(Text, Text)] -> m () Source #

addScriptEither :: MonadWidget m => Either (Route (HandlerSite m)) Text -> m () Source #

addScriptRemote :: MonadWidget m => Text -> m () Source #

Add a remote JavaScript asset to the widget

The same notes for addScript apply here.

addScriptRemoteAttrs :: MonadWidget m => Text -> [(Text, Text)] -> m () Source #

combineScripts' Source #

Arguments

:: Bool	development? if so, perform no combining
-> CombineSettings
-> Name	Static route constructor name, e.g. 'StaticR
-> [Route Static]	files to combine
-> Q Exp

Combine multiple JS files together

combineStylesheets' Source #

Arguments

:: Bool	development? if so, perform no combining
-> CombineSettings
-> Name	Static route constructor name, e.g. 'StaticR
-> [Route Static]	files to combine
-> Q Exp

Combine multiple CSS files together

getRequestNonce :: MonadHandler m => m CSPNonce Source #

Get a nonce for the request

CSP nonces must be unique per request, but they do not need to be unique amongst themselves. This function checks the per-request cache to see if we have already generated a nonce. If we have, we use the cached value. If this is the first call to this function for the request, we generate a new CSPNonce by base64-encoding a UUIDV4 value.

n.b. It is not important to use a high-quality random value to generate the nonce, but Data.UUID.V4.nextRandom just happens to be faster than System.Random.randomIO.