yesod-csp-0.2.4.0: Add CSP headers to Yesod apps

Safe HaskellNone
LanguageHaskell2010

Yesod.Csp

Description

Add CSP headers to Yesod apps. This helps reduce the risk of exposure to XSS and bad assets.

Synopsis

Documentation

cspPolicy :: MonadHandler m => DirectiveList -> m () #

Adds a "Content-Security-Policy" header to your response.

getExample1R :: Handler Html
getExample1R = do
  -- only allow scripts from my website
  cspPolicy [ScriptSrc (Self :| [])]
  defaultLayout $ do
    addScriptRemote "http://httpbin.org/i_am_external"
    [whamlet|hello|]

getCspPolicy :: DirectiveList -> Text #

Returns a generated Content-Security-Policy header.

cspMiddleware :: DirectiveList -> Middleware #

Creates a WAI Middleware to add a Content-Security-Policy header to every response.

data EscapedURI #

Instances
Eq EscapedURI # 
Instance details

Defined in Yesod.Csp

Methods

(==) :: EscapedURI -> EscapedURI -> Bool #

(/=) :: EscapedURI -> EscapedURI -> Bool #

Data EscapedURI # 
Instance details

Defined in Yesod.Csp

Methods

gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> EscapedURI -> c EscapedURI #

gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c EscapedURI #

toConstr :: EscapedURI -> Constr #

dataTypeOf :: EscapedURI -> DataType #

dataCast1 :: Typeable t => (forall d. Data d => c (t d)) -> Maybe (c EscapedURI) #

dataCast2 :: Typeable t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c EscapedURI) #

gmapT :: (forall b. Data b => b -> b) -> EscapedURI -> EscapedURI #

gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> EscapedURI -> r #

gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> EscapedURI -> r #

gmapQ :: (forall d. Data d => d -> u) -> EscapedURI -> [u] #

gmapQi :: Int -> (forall d. Data d => d -> u) -> EscapedURI -> u #

gmapM :: Monad m => (forall d. Data d => d -> m d) -> EscapedURI -> m EscapedURI #

gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> EscapedURI -> m EscapedURI #

gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> EscapedURI -> m EscapedURI #

Show EscapedURI # 
Instance details

Defined in Yesod.Csp

Methods

showsPrec :: Int -> EscapedURI -> ShowS #

show :: EscapedURI -> String #

showList :: [EscapedURI] -> ShowS #

escapeAndParseURI :: Text -> Maybe EscapedURI #

Escapes ';' '\'' and ' ', and parses to URI

escapedTextForNonce :: String -> EscapedText #

Escapes Text to be a valid nonce value

nonce :: Text -> Source #

Escapes a Text value, returning a valid Nonce

type DirectiveList = [Directive] #

A list of restrictions to apply.

data Directive #

A restriction on how assets can be loaded. For example ImgSrc concerns where images may be loaded from.

Constructors

DefaultSrc SourceList 
ScriptSrc SourceList 
StyleSrc SourceList 
ImgSrc SourceList 
ConnectSrc SourceList 
FontSrc SourceList 
ObjectSrc SourceList 
MediaSrc SourceList 
FrameSrc SourceList 
FrameAncestors SourceList 
Sandbox [SandboxOptions]

Applies a sandbox to the result. See here for more info.

ReportUri EscapedURI 
Instances
Eq Directive # 
Instance details

Defined in Yesod.Csp

Methods

(==) :: Directive -> Directive -> Bool #

(/=) :: Directive -> Directive -> Bool #

Data Directive # 
Instance details

Defined in Yesod.Csp

Methods

gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> Directive -> c Directive #

gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c Directive #

toConstr :: Directive -> Constr #

dataTypeOf :: Directive -> DataType #

dataCast1 :: Typeable t => (forall d. Data d => c (t d)) -> Maybe (c Directive) #

dataCast2 :: Typeable t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c Directive) #

gmapT :: (forall b. Data b => b -> b) -> Directive -> Directive #

gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> Directive -> r #

gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> Directive -> r #

gmapQ :: (forall d. Data d => d -> u) -> Directive -> [u] #

gmapQi :: Int -> (forall d. Data d => d -> u) -> Directive -> u #

gmapM :: Monad m => (forall d. Data d => d -> m d) -> Directive -> m Directive #

gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> Directive -> m Directive #

gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> Directive -> m Directive #

Show Directive # 
Instance details

Defined in Yesod.Csp

Methods

showsPrec :: Int -> Directive -> ShowS #

show :: Directive -> String #

showList :: [Directive] -> ShowS #

type SourceList = NonEmpty Source #

A list of allowed sources for a directive.

data Source #

Represents a location from which assets may be loaded.

Constructors

Wildcard 
None 
Self 
DataScheme 
Host EscapedURI 
Https 
UnsafeInline 
UnsafeEval 
StrictDynamic 
Nonce EscapedText 
MetaSource Text 
Instances
Eq Source # 
Instance details

Defined in Yesod.Csp

Methods

(==) :: Source -> Source -> Bool #

(/=) :: Source -> Source -> Bool #

Data Source # 
Instance details

Defined in Yesod.Csp

Methods

gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> Source -> c Source #

gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c Source #

toConstr :: Source -> Constr #

dataTypeOf :: Source -> DataType #

dataCast1 :: Typeable t => (forall d. Data d => c (t d)) -> Maybe (c Source) #

dataCast2 :: Typeable t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c Source) #

gmapT :: (forall b. Data b => b -> b) -> Source -> Source #

gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> Source -> r #

gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> Source -> r #

gmapQ :: (forall d. Data d => d -> u) -> Source -> [u] #

gmapQi :: Int -> (forall d. Data d => d -> u) -> Source -> u #

gmapM :: Monad m => (forall d. Data d => d -> m d) -> Source -> m Source #

gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> Source -> m Source #

gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> Source -> m Source #

Show Source # 
Instance details

Defined in Yesod.Csp

Methods

showsPrec :: Int -> Source -> ShowS #

show :: Source -> String #

showList :: [Source] -> ShowS #

data SandboxOptions #

Configuration options for the sandbox.

Constructors

AllowForms 
AllowScripts 
AllowSameOrigin 
AllowTopNavigation 
Instances
Eq SandboxOptions # 
Instance details

Defined in Yesod.Csp

Methods

(==) :: SandboxOptions -> SandboxOptions -> Bool #

(/=) :: SandboxOptions -> SandboxOptions -> Bool #

Data SandboxOptions # 
Instance details

Defined in Yesod.Csp

Methods

gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> SandboxOptions -> c SandboxOptions #

gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c SandboxOptions #

toConstr :: SandboxOptions -> Constr #

dataTypeOf :: SandboxOptions -> DataType #

dataCast1 :: Typeable t => (forall d. Data d => c (t d)) -> Maybe (c SandboxOptions) #

dataCast2 :: Typeable t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c SandboxOptions) #

gmapT :: (forall b. Data b => b -> b) -> SandboxOptions -> SandboxOptions #

gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> SandboxOptions -> r #

gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> SandboxOptions -> r #

gmapQ :: (forall d. Data d => d -> u) -> SandboxOptions -> [u] #

gmapQi :: Int -> (forall d. Data d => d -> u) -> SandboxOptions -> u #

gmapM :: Monad m => (forall d. Data d => d -> m d) -> SandboxOptions -> m SandboxOptions #

gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> SandboxOptions -> m SandboxOptions #

gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> SandboxOptions -> m SandboxOptions #

Show SandboxOptions # 
Instance details

Defined in Yesod.Csp

Methods

showsPrec :: Int -> SandboxOptions -> ShowS #

show :: SandboxOptions -> String #

showList :: [SandboxOptions] -> ShowS #

textSource :: Source -> Text #