Safe Haskell	None
Language	Haskell2010

Yesod.Csp

Description

Add CSP headers to Yesod apps. This helps reduce the risk of exposure to XSS and bad assets.

Synopsis

Documentation

cspPolicy :: MonadHandler m => DirectiveList -> m () #

Adds a Content-Security-Policy header to your response.

getExample1R :: Handler Html
getExample1R = do
  -- only allow scripts from my website
  cspPolicy [ScriptSrc (Self :| [])]
  defaultLayout $ do
    addScriptRemote "http://httpbin.org/i_am_external"
    [whamlet|hello|]

getCspPolicy :: DirectiveList -> Text #

Returns a generated Content-Security-Policy header.

cspMiddleware :: DirectiveList -> Middleware #

Creates a WAI Middleware to add a Content-Security-Policy header to every response.

data EscapedURI #

Instances

Eq EscapedURI #
Methods (==) :: EscapedURI -> EscapedURI -> Bool # (/=) :: EscapedURI -> EscapedURI -> Bool #
Data EscapedURI #
Methods gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> EscapedURI -> c EscapedURI # gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c EscapedURI # toConstr :: EscapedURI -> Constr # dataTypeOf :: EscapedURI -> DataType # dataCast1 :: Typeable (* -> ) t => (forall d. Data d => c (t d)) -> Maybe (c EscapedURI) # dataCast2 :: Typeable ( -> * -> *) t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c EscapedURI) # gmapT :: (forall b. Data b => b -> b) -> EscapedURI -> EscapedURI # gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> EscapedURI -> r # gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> EscapedURI -> r # gmapQ :: (forall d. Data d => d -> u) -> EscapedURI -> [u] # gmapQi :: Int -> (forall d. Data d => d -> u) -> EscapedURI -> u # gmapM :: Monad m => (forall d. Data d => d -> m d) -> EscapedURI -> m EscapedURI # gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> EscapedURI -> m EscapedURI # gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> EscapedURI -> m EscapedURI #
Show EscapedURI #
Methods showsPrec :: Int -> EscapedURI -> ShowS # show :: EscapedURI -> String # showList :: [EscapedURI] -> ShowS #

escapeAndParseURI :: Text -> Maybe EscapedURI #

Escapes ';' '\'' and ' ', and parses to URI

escapedTextForNonce :: String -> EscapedText #

Escapes Text to be a valid nonce value

nonce :: Text -> Source #

Escapes a Text value, returning a valid Nonce

type DirectiveList = [Directive] #

A list of restrictions to apply.

data Directive #

A restriction on how assets can be loaded. For example ImgSrc concerns where images may be loaded from.

Constructors

DefaultSrc SourceList
ScriptSrc SourceList
StyleSrc SourceList
ImgSrc SourceList
ConnectSrc SourceList
FontSrc SourceList
ObjectSrc SourceList
MediaSrc SourceList
FrameSrc SourceList
FrameAncestors SourceList
Sandbox [SandboxOptions]	Applies a sandbox to the result. See here for more info.
ReportUri EscapedURI

Instances

Eq Directive #
Methods (==) :: Directive -> Directive -> Bool # (/=) :: Directive -> Directive -> Bool #
Data Directive #
Methods gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> Directive -> c Directive # gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c Directive # toConstr :: Directive -> Constr # dataTypeOf :: Directive -> DataType # dataCast1 :: Typeable (* -> ) t => (forall d. Data d => c (t d)) -> Maybe (c Directive) # dataCast2 :: Typeable ( -> * -> *) t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c Directive) # gmapT :: (forall b. Data b => b -> b) -> Directive -> Directive # gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> Directive -> r # gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> Directive -> r # gmapQ :: (forall d. Data d => d -> u) -> Directive -> [u] # gmapQi :: Int -> (forall d. Data d => d -> u) -> Directive -> u # gmapM :: Monad m => (forall d. Data d => d -> m d) -> Directive -> m Directive # gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> Directive -> m Directive # gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> Directive -> m Directive #
Show Directive #
Methods showsPrec :: Int -> Directive -> ShowS # show :: Directive -> String # showList :: [Directive] -> ShowS #

type SourceList = NonEmpty Source #

A list of allowed sources for a directive.

data Source #

Represents a location from which assets may be loaded.

Constructors

Wildcard
None
Self
DataScheme
Host EscapedURI
Https
UnsafeInline
UnsafeEval
StrictDynamic
Nonce EscapedText
MetaSource Text

Instances

Eq Source #
Methods (==) :: Source -> Source -> Bool # (/=) :: Source -> Source -> Bool #
Data Source #
Methods gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> Source -> c Source # gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c Source # toConstr :: Source -> Constr # dataTypeOf :: Source -> DataType # dataCast1 :: Typeable (* -> ) t => (forall d. Data d => c (t d)) -> Maybe (c Source) # dataCast2 :: Typeable ( -> * -> *) t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c Source) # gmapT :: (forall b. Data b => b -> b) -> Source -> Source # gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> Source -> r # gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> Source -> r # gmapQ :: (forall d. Data d => d -> u) -> Source -> [u] # gmapQi :: Int -> (forall d. Data d => d -> u) -> Source -> u # gmapM :: Monad m => (forall d. Data d => d -> m d) -> Source -> m Source # gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> Source -> m Source # gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> Source -> m Source #
Show Source #
Methods showsPrec :: Int -> Source -> ShowS # show :: Source -> String # showList :: [Source] -> ShowS #

data SandboxOptions #

Configuration options for the sandbox.

Constructors

AllowForms
AllowScripts
AllowSameOrigin
AllowTopNavigation

Instances

Eq SandboxOptions #
Methods (==) :: SandboxOptions -> SandboxOptions -> Bool # (/=) :: SandboxOptions -> SandboxOptions -> Bool #
Data SandboxOptions #
Methods gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> SandboxOptions -> c SandboxOptions # gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c SandboxOptions # toConstr :: SandboxOptions -> Constr # dataTypeOf :: SandboxOptions -> DataType # dataCast1 :: Typeable (* -> ) t => (forall d. Data d => c (t d)) -> Maybe (c SandboxOptions) # dataCast2 :: Typeable ( -> * -> *) t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c SandboxOptions) # gmapT :: (forall b. Data b => b -> b) -> SandboxOptions -> SandboxOptions # gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> SandboxOptions -> r # gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> SandboxOptions -> r # gmapQ :: (forall d. Data d => d -> u) -> SandboxOptions -> [u] # gmapQi :: Int -> (forall d. Data d => d -> u) -> SandboxOptions -> u # gmapM :: Monad m => (forall d. Data d => d -> m d) -> SandboxOptions -> m SandboxOptions # gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> SandboxOptions -> m SandboxOptions # gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> SandboxOptions -> m SandboxOptions #
Show SandboxOptions #
Methods showsPrec :: Int -> SandboxOptions -> ShowS # show :: SandboxOptions -> String # showList :: [SandboxOptions] -> ShowS #

textSource :: Source -> Text #