Safe Haskell | None |
---|---|
Language | Haskell2010 |
Add CSP headers to Yesod apps. This helps reduce the risk of exposure to XSS and bad assets.
- cspPolicy :: MonadHandler m => DirectiveList -> m ()
- getCspPolicy :: DirectiveList -> Text
- data EscapedURI
- escapeAndParseURI :: Text -> Maybe EscapedURI
- escapedTextForNonce :: String -> EscapedText
- nonce :: Text -> Source
- type DirectiveList = [Directive]
- data Directive
- type SourceList = NonEmpty Source
- data Source
- = Wildcard
- | None
- | Self
- | DataScheme
- | Host EscapedURI
- | Https
- | UnsafeInline
- | UnsafeEval
- | Nonce EscapedText
- | MetaSource Text
- data SandboxOptions
- textSource :: Source -> Text
Documentation
cspPolicy :: MonadHandler m => DirectiveList -> m () Source #
Adds a Content-Security-Policy header to your response.
getExample1R :: Handler Html getExample1R = do -- only allow scripts from my website cspPolicy [ScriptSrc (Self :| [])] defaultLayout $ do addScriptRemote "http://httpbin.org/i_am_external" [whamlet|hello|]
getCspPolicy :: DirectiveList -> Text Source #
Returns a generated Content-Security-Policy header.
escapeAndParseURI :: Text -> Maybe EscapedURI Source #
Escapes ';' '\'' and ' ', and parses to URI
escapedTextForNonce :: String -> EscapedText Source #
Escapes Text to be a valid nonce value
type DirectiveList = [Directive] Source #
A list of restrictions to apply.
A restriction on how assets can be loaded.
For example ImgSrc
concerns where images may be loaded from.
DefaultSrc SourceList | |
ScriptSrc SourceList | |
StyleSrc SourceList | |
ImgSrc SourceList | |
ConnectSrc SourceList | |
FontSrc SourceList | |
ObjectSrc SourceList | |
MediaSrc SourceList | |
FrameSrc SourceList | |
FrameAncestors SourceList | |
Sandbox [SandboxOptions] | Applies a sandbox to the result. See here for more info. |
ReportUri EscapedURI |
type SourceList = NonEmpty Source Source #
A list of allowed sources for a directive.
Represents a location from which assets may be loaded.
Wildcard | |
None | |
Self | |
DataScheme | |
Host EscapedURI | |
Https | |
UnsafeInline | |
UnsafeEval | |
Nonce EscapedText | |
MetaSource Text |
data SandboxOptions Source #
Configuration options for the sandbox.
textSource :: Source -> Text Source #