haskell/yesod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move JavaScript form submission to script block

Browse Source 
If someone wants their website to score a good grade on a security
vulnerability scanner like Mozilla Observatory, they will need to enable
the Content Security Policy header. When using CSP, it is possible to
explicitly allow inline JavaScript in `<script>` tags by specifying the
sha256 of the snippet. However the same is _not_ true of any JavaScript
included in a HTML attribute like `onload`.

This changes moves the JavaScript form submission out of the `onload`
HTML attribute and into a `<script>` tag so the user can add the hash of
this script to their explicitly-allowed `script-src` list, and they can
avoid using undesirable CSP rules like `unsafe-inline`.

Without explicitly allowing this script when using CSP, the script would
fail and the user would have to click the button to continue.
This commit is contained in:
Jezen Thomas 2019-08-19 20:28:27 +02:00
parent d8ebb95c96
commit d385ada853
No known key found for this signature in database
GPG Key ID: 5FEF410819FCBDB7
3 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
yesod-core/ChangeLog.md
View File

@ -1,5 +1,10 @@
# ChangeLog for yesod-core
## 1.6.15
* Move `redirectToPost` JavaScript form submission from HTML element to
`<script>` tag for CSP reasons [#1620](https://github.com/yesodweb/yesod/pull/1620)
## 1.6.14
* Introduce `JSONResponse`. [issue #1481](https://github.com/yesodweb/yesod/issues/1481) and [PR #1592](https://github.com/yesodweb/yesod/pull/1592)

4
yesod-core/src/Yesod/Core/Handler.hs
View File

@ -1069,13 +1069,15 @@ $doctype 5
<html>
<head>
<title>Redirecting...
<body onload="document.getElementById('form').submit()">
<body>
<form id="form" method="post" action=#{urlText}>
$maybe token <- reqToken req
<input type=hidden name=#{defaultCsrfParamName} value=#{token}>
<noscript>
<p>Javascript has been disabled; please click on the button below to be redirected.
<input type="submit" value="Continue">
<script>
window.onload = function() { document.getElementById('form').submit(); };
|] >>= sendResponse
-- | Wraps the 'Content' generated by 'hamletToContent' in a 'RepHtml'.

2
yesod-core/yesod-core.cabal
View File

@ -1,5 +1,5 @@
name: yesod-core
version: 1.6.14
version: 1.6.15
license: MIT
license-file: LICENSE
author: Michael Snoyman <michael@snoyman.com>