From d385ada8530475e57f494ec4c73414b08440aa53 Mon Sep 17 00:00:00 2001
From: Jezen Thomas <jezen@jezenthomas.com>
Date: Mon, 19 Aug 2019 20:28:27 +0200
Subject: [PATCH] Move JavaScript form submission to script block

If someone wants their website to score a good grade on a security
vulnerability scanner like Mozilla Observatory, they will need to enable
the Content Security Policy header. When using CSP, it is possible to
explicitly allow inline JavaScript in `<script>` tags by specifying the
sha256 of the snippet. However the same is _not_ true of any JavaScript
included in a HTML attribute like `onload`.

This changes moves the JavaScript form submission out of the `onload`
HTML attribute and into a `<script>` tag so the user can add the hash of
this script to their explicitly-allowed `script-src` list, and they can
avoid using undesirable CSP rules like `unsafe-inline`.

Without explicitly allowing this script when using CSP, the script would
fail and the user would have to click the button to continue.
---
 yesod-core/ChangeLog.md              | 5 +++++
 yesod-core/src/Yesod/Core/Handler.hs | 4 +++-
 yesod-core/yesod-core.cabal          | 2 +-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/yesod-core/ChangeLog.md b/yesod-core/ChangeLog.md
index 0d851910..2d1a6e75 100644
--- a/yesod-core/ChangeLog.md
+++ b/yesod-core/ChangeLog.md
@@ -1,5 +1,10 @@
 # ChangeLog for yesod-core
 
+## 1.6.15
+
+* Move `redirectToPost` JavaScript form submission from HTML element to
+  `<script>` tag for CSP reasons [#1620](https://github.com/yesodweb/yesod/pull/1620)
+
 ## 1.6.14
 
 * Introduce `JSONResponse`. [issue #1481](https://github.com/yesodweb/yesod/issues/1481) and [PR #1592](https://github.com/yesodweb/yesod/pull/1592)
diff --git a/yesod-core/src/Yesod/Core/Handler.hs b/yesod-core/src/Yesod/Core/Handler.hs
index ddf4861c..93c6eb8a 100644
--- a/yesod-core/src/Yesod/Core/Handler.hs
+++ b/yesod-core/src/Yesod/Core/Handler.hs
@@ -1069,13 +1069,15 @@ $doctype 5
 <html>
     <head>
         <title>Redirecting...
-    <body onload="document.getElementById('form').submit()">
+    <body>
         <form id="form" method="post" action=#{urlText}>
             $maybe token <- reqToken req
                 <input type=hidden name=#{defaultCsrfParamName} value=#{token}>
             <noscript>
                 <p>Javascript has been disabled; please click on the button below to be redirected.
             <input type="submit" value="Continue">
+        <script>
+          window.onload = function() { document.getElementById('form').submit(); };
 |] >>= sendResponse
 
 -- | Wraps the 'Content' generated by 'hamletToContent' in a 'RepHtml'.
diff --git a/yesod-core/yesod-core.cabal b/yesod-core/yesod-core.cabal
index 7d28de21..cf67b818 100644
--- a/yesod-core/yesod-core.cabal
+++ b/yesod-core/yesod-core.cabal
@@ -1,5 +1,5 @@
 name:            yesod-core
-version:         1.6.14
+version:         1.6.15
 license:         MIT
 license-file:    LICENSE
 author:          Michael Snoyman <michael@snoyman.com>