haskell/yesod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1548 from yesodweb/MaxGabriel-patch-1

Browse Source 
Explain how requireCheckJsonBody can prevent CSRF
This commit is contained in:
Chris Allen 2018-08-02 10:30:41 -05:00 committed by GitHub
commit 826a607571
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
yesod-core/Yesod/Core/Json.hs
View File

@ -133,8 +133,10 @@ requireJsonBody = do
J.Error s -> invalidArgs [pack s]
J.Success a -> return a
-- | Same as 'requireJsonBody', but ensures that the mime type
-- indicates JSON content.
-- | Same as 'requireJsonBody', but ensures that the MIME type
-- indicates JSON content. Requiring a JSON content-type helps secure your site against
-- CSRF attacks (browsers will perform POST requests for form and text/plain content-types
-- without doing a CORS check, and those content-types can easily contain valid JSON).
requireCheckJsonBody :: (MonadHandler m, J.FromJSON a) => m a
requireCheckJsonBody = do
ra <- parseCheckJsonBody