This adds `jsAttributesHandler` to run arbitrary Handler code before
building the attributes map for the script tag generated by `widgetFile`.
This is useful if you need to add a randomised nonce value to that tag.
Closes https://github.com/yesodweb/yesod/issues/1621
If someone wants their website to score a good grade on a security
vulnerability scanner like Mozilla Observatory, they will need to enable
the Content Security Policy header. When using CSP, it is possible to
explicitly allow inline JavaScript in `<script>` tags by specifying the
sha256 of the snippet. However the same is _not_ true of any JavaScript
included in a HTML attribute like `onload`.
This changes moves the JavaScript form submission out of the `onload`
HTML attribute and into a `<script>` tag so the user can add the hash of
this script to their explicitly-allowed `script-src` list, and they can
avoid using undesirable CSP rules like `unsafe-inline`.
Without explicitly allowing this script when using CSP, the script would
fail and the user would have to click the button to continue.
Makes `loadClientSession` ignore all sessions in a request if more than
a single session cookie decodes successfully. The prior behavior was to
merge all valid session cookies' values.
Bumps version to 1.6.12
The `selectRep` documentation indicates that it choose the first
representation provided if no representation matches.
This was only partially correct, as `selectRep` required that no
representation matched **and** that the `Content-Type` header of the
response was empty.
This led to a problem because `defaultErrorhandler` relies on
`selectRep`, and when `selectRep` was unable to find a suitable
representation, it would "swallow" the original error that resulted in
`defaultErrorhandler` being called, and set a status 406 for all cases.
[weeder: Detect dead code](https://hackage.haskell.org/package/weeder)
deleted depends is
* mime-mail
* wai-eventsource
I sort build-depends, because duplicate depend some exist, to sort is detect to easy.
* This is important because historically these errors have tripped people up
* Making security as easy as possible is important so that it doesn't just get turned off
* Giving clear directions about where to get the CSRF token (a cookie) and where to send it (a header/param) is especially helpful to frontend developers not necessarily familiar with the backend codebase
