freckle-app 1.0.2.0 → 1.0.2.1
raw patch · 5 files changed
+26/−6 lines, 5 files
Files
- CHANGELOG.md +5/−1
- freckle-app.cabal +1/−1
- library/Freckle/App/Wai.hs +5/−0
- package.yaml +1/−1
- tests/Freckle/App/WaiSpec.hs +14/−3
CHANGELOG.md view
@@ -1,6 +1,10 @@-## [_Unreleased_](https://github.com/freckle/freckle-app/compare/v1.0.2.0...main)+## [_Unreleased_](https://github.com/freckle/freckle-app/compare/v1.0.2.1...main) - None.++## [v1.0.2.1](https://github.com/freckle/freckle-app/compare/v1.0.2.0...v1.0.2.1)++- Add `denyFrameEmbeddingMiddleware` for denying HTML frame embedding. ## [v1.0.2.0](https://github.com/freckle/freckle-app/compare/v1.0.1.0...v1.0.2.0)
freckle-app.cabal view
@@ -1,6 +1,6 @@ cabal-version: 1.12 name: freckle-app-version: 1.0.2.0+version: 1.0.2.1 license: MIT license-file: LICENSE maintainer: Freckle Education
library/Freckle/App/Wai.hs view
@@ -8,6 +8,7 @@ , makeRequestMetricsMiddleware , noCacheMiddleware , corsMiddleware+ , denyFrameEmbeddingMiddleware ) where import Prelude@@ -199,6 +200,10 @@ corsMiddleware validateOrigin extraExposedHeaders = handleOptions validateOrigin extraExposedHeaders . addCORSHeaders validateOrigin extraExposedHeaders++-- | Middleware that adds header to deny all frame embedding+denyFrameEmbeddingMiddleware :: Middleware+denyFrameEmbeddingMiddleware = addHeaders [("X-Frame-Options", "DENY")] handleOptions :: (ByteString -> Bool) -> [ByteString] -> Middleware handleOptions validateOrigin extraExposedHeaders app req sendResponse =
package.yaml view
@@ -1,6 +1,6 @@ --- name: freckle-app-version: 1.0.2.0+version: 1.0.2.1 maintainer: Freckle Education category: Utils github: freckle/freckle-app
tests/Freckle/App/WaiSpec.hs view
@@ -1,14 +1,14 @@ module Freckle.App.WaiSpec ( spec- )-where+ ) where import Prelude import Data.ByteString (ByteString) import Data.Function (on) import Data.List (deleteBy)-import Freckle.App.Wai (corsMiddleware, noCacheMiddleware)+import Freckle.App.Wai+ (corsMiddleware, denyFrameEmbeddingMiddleware, noCacheMiddleware) import Network.HTTP.Types.Method (Method) import Network.HTTP.Types.Status (status200) import Network.Wai@@ -83,6 +83,17 @@ "Access-Control-Expose-Headers" "Set-Cookie, Content-Disposition, Link, X-Foo" response++ describe "denyFrameEmbeddingMiddleware" $ do+ let+ runTestSession :: Session a -> IO a+ runTestSession f = runSession f $ denyFrameEmbeddingMiddleware app++ it "adds an appropriate X-Frame-Options header" $ runTestSession $ do+ response <- request defaultRequest++ assertHeader "X-Frame-Options" "DENY" response+ assertBody "Test" response app :: Application app _req respond = respond $ responseLBS status200 [] "Test"