| Safe Haskell | None |
|---|---|
| Language | Haskell2010 |
Yesod.Csp
Description
Add CSP headers to Yesod apps. This helps reduce the risk of exposure to XSS and bad assets.
- cspPolicy :: MonadHandler m => DirectiveList -> m ()
- getCspPolicy :: DirectiveList -> Text
- data EscapedURI
- escapeAndParseURI :: Text -> Maybe EscapedURI
- type DirectiveList = [Directive]
- data Directive
- type SourceList = NonEmpty Source
- data Source
- data SandboxOptions
Documentation
cspPolicy :: MonadHandler m => DirectiveList -> m () Source
Adds a Content-Security-Policy header to your response.
getExample1R :: Handler Html
getExample1R = do
-- only allow scripts from my website
cspPolicy [ScriptSrc (Self :| [])]
defaultLayout $ do
addScriptRemote "http://httpbin.org/i_am_external"
[whamlet|hello|]getCspPolicy :: DirectiveList -> Text Source
Returns a generated Content-Security-Policy header.
data EscapedURI Source
Instances
escapeAndParseURI :: Text -> Maybe EscapedURI Source
Escapes ';' '\'' and ' ', and parses to URI
type DirectiveList = [Directive] Source
A list of restrictions to apply.
A restriction on how assets can be loaded.
For example ImgSrc concerns where images may be loaded from.
Constructors
| DefaultSrc SourceList | |
| ScriptSrc SourceList | |
| StyleSrc SourceList | |
| ImgSrc SourceList | |
| ConnectSrc SourceList | |
| FontSrc SourceList | |
| ObjectSrc SourceList | |
| MediaSrc SourceList | |
| FrameSrc SourceList | |
| Sandbox [SandboxOptions] | Applies a sandbox to the result. See here for more info. |
| ReportUri EscapedURI |
type SourceList = NonEmpty Source Source
A list of allowed sources for a directive.
Represents a location from which assets may be loaded.
Constructors
| Wildcard | |
| None | |
| Self | |
| DataScheme | |
| Host EscapedURI | |
| Https | |
| UnsafeInline | |
| UnsafeEval | |
| MetaSource Text |
data SandboxOptions Source
Configuration options for the sandbox.
Constructors
| AllowForms | |
| AllowScripts | |
| AllowSameOrigin | |
| AllowTopNavigation |