| Safe Haskell | None |
|---|---|
| Language | Haskell2010 |
Yesod.Csp
Description
Add CSP headers to Yesod apps. This helps reduce the risk of exposure to XSS and bad assets.
Synopsis
- cspPolicy :: MonadHandler m => DirectiveList -> m ()
- getCspPolicy :: DirectiveList -> Text
- cspMiddleware :: DirectiveList -> Middleware
- data EscapedURI
- escapeAndParseURI :: Text -> Maybe EscapedURI
- escapedTextForNonce :: String -> EscapedText
- nonce :: Text -> Source
- type DirectiveList = [Directive]
- data Directive
- type SourceList = NonEmpty Source
- data Source
- = Wildcard
- | None
- | Self
- | DataScheme
- | Host EscapedURI
- | Https
- | UnsafeInline
- | UnsafeEval
- | StrictDynamic
- | Nonce EscapedText
- | MetaSource Text
- data SandboxOptions
- textSource :: Source -> Text
Documentation
cspPolicy :: MonadHandler m => DirectiveList -> m () Source #
Adds a "Content-Security-Policy" header to your response.
getExample1R :: Handler Html
getExample1R = do
-- only allow scripts from my website
cspPolicy [ScriptSrc (Self :| [])]
defaultLayout $ do
addScriptRemote "http://httpbin.org/i_am_external"
[whamlet|hello|]getCspPolicy :: DirectiveList -> Text Source #
Returns a generated Content-Security-Policy header.
cspMiddleware :: DirectiveList -> Middleware Source #
Creates a WAI Middleware to add a Content-Security-Policy
header to every response.
data EscapedURI Source #
Instances
| Eq EscapedURI Source # | |
Defined in Yesod.Csp | |
| Data EscapedURI Source # | |
Defined in Yesod.Csp Methods gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> EscapedURI -> c EscapedURI # gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c EscapedURI # toConstr :: EscapedURI -> Constr # dataTypeOf :: EscapedURI -> DataType # dataCast1 :: Typeable t => (forall d. Data d => c (t d)) -> Maybe (c EscapedURI) # dataCast2 :: Typeable t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c EscapedURI) # gmapT :: (forall b. Data b => b -> b) -> EscapedURI -> EscapedURI # gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> EscapedURI -> r # gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> EscapedURI -> r # gmapQ :: (forall d. Data d => d -> u) -> EscapedURI -> [u] # gmapQi :: Int -> (forall d. Data d => d -> u) -> EscapedURI -> u # gmapM :: Monad m => (forall d. Data d => d -> m d) -> EscapedURI -> m EscapedURI # gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> EscapedURI -> m EscapedURI # gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> EscapedURI -> m EscapedURI # | |
| Show EscapedURI Source # | |
Defined in Yesod.Csp Methods showsPrec :: Int -> EscapedURI -> ShowS # show :: EscapedURI -> String # showList :: [EscapedURI] -> ShowS # | |
escapeAndParseURI :: Text -> Maybe EscapedURI Source #
Escapes ';' '\'' and ' ', and parses to URI
escapedTextForNonce :: String -> EscapedText Source #
Escapes Text to be a valid nonce value
type DirectiveList = [Directive] Source #
A list of restrictions to apply.
A restriction on how assets can be loaded.
For example ImgSrc concerns where images may be loaded from.
Constructors
| DefaultSrc SourceList | |
| ScriptSrc SourceList | |
| StyleSrc SourceList | |
| ImgSrc SourceList | |
| ConnectSrc SourceList | |
| FontSrc SourceList | |
| ObjectSrc SourceList | |
| MediaSrc SourceList | |
| FrameSrc SourceList | |
| FrameAncestors SourceList | |
| Sandbox [SandboxOptions] | Applies a sandbox to the result. See here for more info. |
| ReportUri EscapedURI |
Instances
| Eq Directive Source # | |
| Data Directive Source # | |
Defined in Yesod.Csp Methods gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> Directive -> c Directive # gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c Directive # toConstr :: Directive -> Constr # dataTypeOf :: Directive -> DataType # dataCast1 :: Typeable t => (forall d. Data d => c (t d)) -> Maybe (c Directive) # dataCast2 :: Typeable t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c Directive) # gmapT :: (forall b. Data b => b -> b) -> Directive -> Directive # gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> Directive -> r # gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> Directive -> r # gmapQ :: (forall d. Data d => d -> u) -> Directive -> [u] # gmapQi :: Int -> (forall d. Data d => d -> u) -> Directive -> u # gmapM :: Monad m => (forall d. Data d => d -> m d) -> Directive -> m Directive # gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> Directive -> m Directive # gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> Directive -> m Directive # | |
| Show Directive Source # | |
type SourceList = NonEmpty Source Source #
A list of allowed sources for a directive.
Represents a location from which assets may be loaded.
Constructors
| Wildcard | |
| None | |
| Self | |
| DataScheme | |
| Host EscapedURI | |
| Https | |
| UnsafeInline | |
| UnsafeEval | |
| StrictDynamic | |
| Nonce EscapedText | |
| MetaSource Text |
Instances
| Eq Source Source # | |
| Data Source Source # | |
Defined in Yesod.Csp Methods gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> Source -> c Source # gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c Source # toConstr :: Source -> Constr # dataTypeOf :: Source -> DataType # dataCast1 :: Typeable t => (forall d. Data d => c (t d)) -> Maybe (c Source) # dataCast2 :: Typeable t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c Source) # gmapT :: (forall b. Data b => b -> b) -> Source -> Source # gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> Source -> r # gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> Source -> r # gmapQ :: (forall d. Data d => d -> u) -> Source -> [u] # gmapQi :: Int -> (forall d. Data d => d -> u) -> Source -> u # gmapM :: Monad m => (forall d. Data d => d -> m d) -> Source -> m Source # gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> Source -> m Source # gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> Source -> m Source # | |
| Show Source Source # | |
data SandboxOptions Source #
Configuration options for the sandbox.
Constructors
| AllowForms | |
| AllowScripts | |
| AllowSameOrigin | |
| AllowTopNavigation |
Instances
| Eq SandboxOptions Source # | |
Defined in Yesod.Csp Methods (==) :: SandboxOptions -> SandboxOptions -> Bool # (/=) :: SandboxOptions -> SandboxOptions -> Bool # | |
| Data SandboxOptions Source # | |
Defined in Yesod.Csp Methods gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> SandboxOptions -> c SandboxOptions # gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c SandboxOptions # toConstr :: SandboxOptions -> Constr # dataTypeOf :: SandboxOptions -> DataType # dataCast1 :: Typeable t => (forall d. Data d => c (t d)) -> Maybe (c SandboxOptions) # dataCast2 :: Typeable t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c SandboxOptions) # gmapT :: (forall b. Data b => b -> b) -> SandboxOptions -> SandboxOptions # gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> SandboxOptions -> r # gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> SandboxOptions -> r # gmapQ :: (forall d. Data d => d -> u) -> SandboxOptions -> [u] # gmapQi :: Int -> (forall d. Data d => d -> u) -> SandboxOptions -> u # gmapM :: Monad m => (forall d. Data d => d -> m d) -> SandboxOptions -> m SandboxOptions # gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> SandboxOptions -> m SandboxOptions # gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> SandboxOptions -> m SandboxOptions # | |
| Show SandboxOptions Source # | |
Defined in Yesod.Csp Methods showsPrec :: Int -> SandboxOptions -> ShowS # show :: SandboxOptions -> String # showList :: [SandboxOptions] -> ShowS # | |
textSource :: Source -> Text Source #