Safe Haskell | Safe-Inferred |
---|---|
Language | Haskell2010 |
Deals with CSP without disabling it. This is done by overriding the default yesod provided addScript functionalities and adding a nonce to the tag, and the right headers to the request.
Synopsis
- data CombineSettings = CombineSettings {
- csStaticDir :: FilePath
- csCssPostProcess :: [FilePath] -> ByteString -> IO ByteString
- csJsPostProcess :: [FilePath] -> ByteString -> IO ByteString
- csCssPreProcess :: Text -> IO Text
- csJsPreProcess :: Text -> IO Text
- csCombinedFolder :: FilePath
- newtype CSPNonce = CSPNonce {
- unCSPNonce :: Text
- data Directive
- data Source
- = Wildcard
- | None
- | Self
- | DataScheme
- | BlobScheme
- | Host Text
- | Https
- | Http
- | UnsafeInline
- | UnsafeEval
- | StrictDynamic
- | Nonce Text
- addCSP :: MonadWidget m => Directive -> Source -> m ()
- addCSPMiddleware :: HandlerFor m a -> HandlerFor m a
- addScript :: MonadWidget m => Route (HandlerSite m) -> m ()
- addScriptAttrs :: MonadWidget m => Route (HandlerSite m) -> [(Text, Text)] -> m ()
- addScriptEither :: MonadWidget m => Either (Route (HandlerSite m)) Text -> m ()
- addScriptRemote :: MonadWidget m => Text -> m ()
- addScriptRemoteAttrs :: MonadWidget m => Text -> [(Text, Text)] -> m ()
- combineScripts' :: Bool -> CombineSettings -> Name -> [Route Static] -> Q Exp
- combineStylesheets' :: Bool -> CombineSettings -> Name -> [Route Static] -> Q Exp
- getRequestNonce :: MonadHandler m => m CSPNonce
Documentation
data CombineSettings Source #
CombineSettings | |
|
DefaultSrc | |
StyleSrc | |
ScriptSrc | |
ObjectSrc | |
ImgSrc | |
FontSrc | |
ConnectSrc | |
MediaSrc | |
FrameSrc | |
FormAction | |
FrameAncestors | |
BaseURI | |
ReportURI | |
ManifestSrc |
Wildcard | |
None | |
Self | |
DataScheme | |
BlobScheme | |
Host Text | |
Https | |
Http | |
UnsafeInline | |
UnsafeEval | |
StrictDynamic | |
Nonce Text |
addCSP :: MonadWidget m => Directive -> Source -> m () Source #
Add a directive to the current Content-Security Policy
addCSPMiddleware :: HandlerFor m a -> HandlerFor m a Source #
addScript :: MonadWidget m => Route (HandlerSite m) -> m () Source #
Add a local JavaScript asset to the widget
This is intended to a be a drop-in replacement for
Yesod.Core.Widget.addScript
. It takes the nonce generated for the current
request and embeds it as an HTML attribute in the script tag.
addScriptAttrs :: MonadWidget m => Route (HandlerSite m) -> [(Text, Text)] -> m () Source #
addScriptEither :: MonadWidget m => Either (Route (HandlerSite m)) Text -> m () Source #
addScriptRemote :: MonadWidget m => Text -> m () Source #
Add a remote JavaScript asset to the widget
The same notes for addScript
apply here.
addScriptRemoteAttrs :: MonadWidget m => Text -> [(Text, Text)] -> m () Source #
:: Bool | development? if so, perform no combining |
-> CombineSettings | |
-> Name | Static route constructor name, e.g. 'StaticR |
-> [Route Static] | files to combine |
-> Q Exp |
Combine multiple JS files together
:: Bool | development? if so, perform no combining |
-> CombineSettings | |
-> Name | Static route constructor name, e.g. 'StaticR |
-> [Route Static] | files to combine |
-> Q Exp |
Combine multiple CSS files together
getRequestNonce :: MonadHandler m => m CSPNonce Source #
Get a nonce for the request
CSP nonces must be unique per request, but they do not need to be unique
amongst themselves. This function checks the per-request cache to see if we
have already generated a nonce. If we have, we use the cached value. If this
is the first call to this function for the request, we generate a new
CSPNonce
by base64-encoding a UUIDV4 value.
n.b. It is not important to use a high-quality random value to generate the
nonce, but Data.UUID.V4.nextRandom
just happens to be faster than
System.Random.randomIO
.