Safe Haskell	None
Language	Haskell2010

Yesod.Csp

Description

Add CSP headers to Yesod apps. This helps reduce the risk of exposure to XSS and bad assets.

Synopsis

Documentation

cspPolicy :: MonadHandler m => DirectiveList -> m () Source #

Adds a Content-Security-Policy header to your response.

getExample1R :: Handler Html
getExample1R = do
  -- only allow scripts from my website
  cspPolicy [ScriptSrc (Self :| [])]
  defaultLayout $ do
    addScriptRemote "http://httpbin.org/i_am_external"
    [whamlet|hello|]

getCspPolicy :: DirectiveList -> Text Source #

Returns a generated Content-Security-Policy header.

data EscapedURI Source #

Instances

Eq EscapedURI Source #
Methods (==) :: EscapedURI -> EscapedURI -> Bool # (/=) :: EscapedURI -> EscapedURI -> Bool #
Data EscapedURI Source #
Methods gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> EscapedURI -> c EscapedURI # gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c EscapedURI # toConstr :: EscapedURI -> Constr # dataTypeOf :: EscapedURI -> DataType # dataCast1 :: Typeable (* -> ) t => (forall d. Data d => c (t d)) -> Maybe (c EscapedURI) # dataCast2 :: Typeable ( -> * -> *) t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c EscapedURI) # gmapT :: (forall b. Data b => b -> b) -> EscapedURI -> EscapedURI # gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> EscapedURI -> r # gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> EscapedURI -> r # gmapQ :: (forall d. Data d => d -> u) -> EscapedURI -> [u] # gmapQi :: Int -> (forall d. Data d => d -> u) -> EscapedURI -> u # gmapM :: Monad m => (forall d. Data d => d -> m d) -> EscapedURI -> m EscapedURI # gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> EscapedURI -> m EscapedURI # gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> EscapedURI -> m EscapedURI #
Show EscapedURI Source #
Methods showsPrec :: Int -> EscapedURI -> ShowS # show :: EscapedURI -> String # showList :: [EscapedURI] -> ShowS #

escapeAndParseURI :: Text -> Maybe EscapedURI Source #

Escapes ';' '\'' and ' ', and parses to URI

escapedTextForNonce :: String -> EscapedText Source #

Escapes Text to be a valid nonce value

nonce :: Text -> Source Source #

Escapes a Text value, returning a valid Nonce

type DirectiveList = [Directive] Source #

A list of restrictions to apply.

data Directive Source #

A restriction on how assets can be loaded. For example ImgSrc concerns where images may be loaded from.

Constructors

DefaultSrc SourceList
ScriptSrc SourceList
StyleSrc SourceList
ImgSrc SourceList
ConnectSrc SourceList
FontSrc SourceList
ObjectSrc SourceList
MediaSrc SourceList
FrameSrc SourceList
Sandbox [SandboxOptions]	Applies a sandbox to the result. See here for more info.
ReportUri EscapedURI

Instances

Eq Directive Source #
Methods (==) :: Directive -> Directive -> Bool # (/=) :: Directive -> Directive -> Bool #
Data Directive Source #
Methods gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> Directive -> c Directive # gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c Directive # toConstr :: Directive -> Constr # dataTypeOf :: Directive -> DataType # dataCast1 :: Typeable (* -> ) t => (forall d. Data d => c (t d)) -> Maybe (c Directive) # dataCast2 :: Typeable ( -> * -> *) t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c Directive) # gmapT :: (forall b. Data b => b -> b) -> Directive -> Directive # gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> Directive -> r # gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> Directive -> r # gmapQ :: (forall d. Data d => d -> u) -> Directive -> [u] # gmapQi :: Int -> (forall d. Data d => d -> u) -> Directive -> u # gmapM :: Monad m => (forall d. Data d => d -> m d) -> Directive -> m Directive # gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> Directive -> m Directive # gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> Directive -> m Directive #
Show Directive Source #
Methods showsPrec :: Int -> Directive -> ShowS # show :: Directive -> String # showList :: [Directive] -> ShowS #

type SourceList = NonEmpty Source Source #

A list of allowed sources for a directive.

data Source Source #

Represents a location from which assets may be loaded.

Constructors

Wildcard
None
Self
DataScheme
Host EscapedURI
Https
UnsafeInline
UnsafeEval
Nonce EscapedText
MetaSource Text

Instances

Eq Source Source #
Methods (==) :: Source -> Source -> Bool # (/=) :: Source -> Source -> Bool #
Data Source Source #
Methods gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> Source -> c Source # gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c Source # toConstr :: Source -> Constr # dataTypeOf :: Source -> DataType # dataCast1 :: Typeable (* -> ) t => (forall d. Data d => c (t d)) -> Maybe (c Source) # dataCast2 :: Typeable ( -> * -> *) t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c Source) # gmapT :: (forall b. Data b => b -> b) -> Source -> Source # gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> Source -> r # gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> Source -> r # gmapQ :: (forall d. Data d => d -> u) -> Source -> [u] # gmapQi :: Int -> (forall d. Data d => d -> u) -> Source -> u # gmapM :: Monad m => (forall d. Data d => d -> m d) -> Source -> m Source # gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> Source -> m Source # gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> Source -> m Source #
Show Source Source #
Methods showsPrec :: Int -> Source -> ShowS # show :: Source -> String # showList :: [Source] -> ShowS #

data SandboxOptions Source #

Configuration options for the sandbox.

Constructors

AllowForms
AllowScripts
AllowSameOrigin
AllowTopNavigation

Instances

Eq SandboxOptions Source #
Methods (==) :: SandboxOptions -> SandboxOptions -> Bool # (/=) :: SandboxOptions -> SandboxOptions -> Bool #
Data SandboxOptions Source #
Methods gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> SandboxOptions -> c SandboxOptions # gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c SandboxOptions # toConstr :: SandboxOptions -> Constr # dataTypeOf :: SandboxOptions -> DataType # dataCast1 :: Typeable (* -> ) t => (forall d. Data d => c (t d)) -> Maybe (c SandboxOptions) # dataCast2 :: Typeable ( -> * -> *) t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c SandboxOptions) # gmapT :: (forall b. Data b => b -> b) -> SandboxOptions -> SandboxOptions # gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> SandboxOptions -> r # gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> SandboxOptions -> r # gmapQ :: (forall d. Data d => d -> u) -> SandboxOptions -> [u] # gmapQi :: Int -> (forall d. Data d => d -> u) -> SandboxOptions -> u # gmapM :: Monad m => (forall d. Data d => d -> m d) -> SandboxOptions -> m SandboxOptions # gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> SandboxOptions -> m SandboxOptions # gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> SandboxOptions -> m SandboxOptions #
Show SandboxOptions Source #
Methods showsPrec :: Int -> SandboxOptions -> ShowS # show :: SandboxOptions -> String # showList :: [SandboxOptions] -> ShowS #

textSource :: Source -> Text Source #