If someone wants their website to score a good grade on a security
vulnerability scanner like Mozilla Observatory, they will need to enable
the Content Security Policy header. When using CSP, it is possible to
explicitly allow inline JavaScript in `<script>` tags by specifying the
sha256 of the snippet. However the same is _not_ true of any JavaScript
included in a HTML attribute like `onload`.
This changes moves the JavaScript form submission out of the `onload`
HTML attribute and into a `<script>` tag so the user can add the hash of
this script to their explicitly-allowed `script-src` list, and they can
avoid using undesirable CSP rules like `unsafe-inline`.
Without explicitly allowing this script when using CSP, the script would
fail and the user would have to click the button to continue.
When a form has multiple `mreq` fields and the user submits a form with
more than one of these values missing, they see an ambiguous collection
of "Value is required" messages. The `mreqMsg` function allows you to
provide your own MsgValueRequired message for a better UX.
The previous type signature was attempting to read the Connection off of
the m in WebSocketsT m, rather than the WebSocketsT itself. This was
likely a typo that happened to type-check. The types for these now align
with the rest of the API, read the Connection off of WebSocketsT, and
make no demands of the m other than MonadIO.
Fixes#1599.
My coworker who is new to Haskell was pointing out that for such an important function to Yesod, this one is lacking any documentation. It's slightly hard to document because people could provide various implementations for it, but I think this description captures the essence pretty well, and notes the important implicit behavior of opening a transaction.
