yesod-csp 0.2.3.0 → 0.2.4.0
raw patch · 4 files changed
+14/−1 lines, 4 filesPVP ok
version bump matches the API change (PVP)
API changes (from Hackage documentation)
+ Yesod.Csp: StrictDynamic :: Source
+ Yesod.Csp.Example: getExample12R :: Handler Html
Files
- src/Yesod/Csp.hs +2/−0
- src/Yesod/Csp/Example.hs +9/−0
- src/Yesod/Csp/TH.hs +2/−0
- yesod-csp.cabal +1/−1
src/Yesod/Csp.hs view
@@ -120,6 +120,7 @@ | Https | UnsafeInline | UnsafeEval+ | StrictDynamic | Nonce EscapedText | MetaSource Text deriving (Eq, Show, Data, Typeable) @@ -135,6 +136,7 @@ textSource Https = "https:" textSource UnsafeInline = "'unsafe-inline'" textSource UnsafeEval = "'unsafe-eval'"+textSource StrictDynamic = "'strict-dynamic'" textSource (MetaSource _) = "" textSource (Nonce x) = (pack . show) x
src/Yesod/Csp/Example.hs view
@@ -24,6 +24,7 @@ /9 Example9R GET /10 Example10R GET /11 Example11R GET+ /12 Example12R GET |] instance Yesod Example@@ -138,6 +139,14 @@ I should only be iframe-able by Google! |] +getExample12R :: Handler Html+getExample12R = do+ let n = "foo"+ cspPolicy [csp|script-src strict-dynamic unsafe-inline $nonce-n|]+ defaultLayout $ [whamlet|+ <script nonce="foo">+ alert("ayyyy");+ |] -- | Run a webserver to serve these examples at /1, /2, etc. runExamples :: IO ()
src/Yesod/Csp/TH.hs view
@@ -54,6 +54,7 @@ <|> host <|> unsafeInline <|> unsafeEval+ <|> strictDynamic <|> parseNonce <|> metaSource where wildcard = string "*" *> pure Wildcard@@ -84,6 +85,7 @@ _ -> fail "https" unsafeInline = string "unsafe-inline" *> pure UnsafeInline unsafeEval = string "unsafe-eval" *> pure UnsafeEval+ strictDynamic = string "strict-dynamic" *> pure StrictDynamic separated :: Char -> Bool separated x = x == ';' || x == ' '
yesod-csp.cabal view
@@ -2,7 +2,7 @@ -- documentation, see http://haskell.org/cabal/users-guide/ name: yesod-csp-version: 0.2.3.0+version: 0.2.4.0 synopsis: Add CSP headers to Yesod apps description: Add CSP headers to Yesod apps. This helps reduce exposure to XSS attacks and bad assets. license: MIT