Yesod.Core.Handler.languages checks first for a language set in the
user's session, prepending that value to YesodRequest{reqLangs}, so it
is respected above all else if present.
For context, reqLangs itself also includes the session, but just later
in line:
langs' = catMaybes [ lookup langKey gets -- Query _LANG
, lookup langKey cookies -- Cookie _LANG
, lookupText langKey session -- Session _LANG
] ++ langs -- Accept-Language(s)
In #1720, it was raised that allowing the session (something implicitly
present for any request) to override a query parameter (something
explicitly given on that request) is surprising.
We decided (without knowing what order reqLangs was doing) that query,
cookie, session, accept was best and languages should be changed to do
that. Conveniently, this just makes languages equivalent to reqLangs, so
that is what this patch does.
GHC 8.0 and later come with the `DeriveLift` extension for deriving
instances of `Language.Haskell.TH.Syntax.Lift`. `yesod-core` supports
GHC 8.2 and up, so it is able to make use of this. Not only does
`DeriveLift` make for much shorter code, but it also fixes warnings
that you get when compiling `yesod-core` with GHC 8.10 or later:
```
[20 of 31] Compiling Yesod.Routes.TH.Types ( src/Yesod/Routes/TH/Types.hs, interpreted )
src/Yesod/Routes/TH/Types.hs:34:10: warning: [-Wmissing-methods]
• No explicit implementation for
‘liftTyped’
• In the instance declaration for ‘Lift (ResourceTree t)’
|
34 | instance Lift t => Lift (ResourceTree t) where
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/Yesod/Routes/TH/Types.hs:49:10: warning: [-Wmissing-methods]
• No explicit implementation for
‘liftTyped’
• In the instance declaration for ‘Lift (Resource t)’
|
49 | instance Lift t => Lift (Resource t) where
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/Yesod/Routes/TH/Types.hs:59:10: warning: [-Wmissing-methods]
• No explicit implementation for
‘liftTyped’
• In the instance declaration for ‘Lift (Piece t)’
|
59 | instance Lift t => Lift (Piece t) where
| ^^^^^^^^^^^^^^^^^^^^^^^^
src/Yesod/Routes/TH/Types.hs:78:10: warning: [-Wmissing-methods]
• No explicit implementation for
‘liftTyped’
• In the instance declaration for ‘Lift (Dispatch t)’
|
78 | instance Lift t => Lift (Dispatch t) where
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^
```
This is because `DeriveLift` fills in implementations of `liftTyped`,
a method that was introduced to `Lift` in `template-haskell-2.16.0.0`
(bundled with GHC 8.10).
* Add functions for setting description and OG meta
It's common that a website author will want to add a specific
description and Open Graph image to a given page in their website. These
functions are simple conveniences to add these meta tags to the document
head.
I decided against simply adding all possible meta tags, because not all
of them are useful, and even in the case of Open Graph tags, many of
them should be set only once and they should use the same value for the
entire website. In those cases, it's probably better for the website
author to add those tags in their layout template.
Closes https://github.com/yesodweb/yesod/issues/1659
This adds `jsAttributesHandler` to run arbitrary Handler code before
building the attributes map for the script tag generated by `widgetFile`.
This is useful if you need to add a randomised nonce value to that tag.
Closes https://github.com/yesodweb/yesod/issues/1621
If someone wants their website to score a good grade on a security
vulnerability scanner like Mozilla Observatory, they will need to enable
the Content Security Policy header. When using CSP, it is possible to
explicitly allow inline JavaScript in `<script>` tags by specifying the
sha256 of the snippet. However the same is _not_ true of any JavaScript
included in a HTML attribute like `onload`.
This changes moves the JavaScript form submission out of the `onload`
HTML attribute and into a `<script>` tag so the user can add the hash of
this script to their explicitly-allowed `script-src` list, and they can
avoid using undesirable CSP rules like `unsafe-inline`.
Without explicitly allowing this script when using CSP, the script would
fail and the user would have to click the button to continue.
Makes `loadClientSession` ignore all sessions in a request if more than
a single session cookie decodes successfully. The prior behavior was to
merge all valid session cookies' values.
Bumps version to 1.6.12
`parseJsonBody` and `requireJsonBody` do not require a mime type when
parsing `JSON` content. This leaves them open to CSRF. They are now
deprecated and `insecure` versions are added in their place. Consumers
are now given a proper choice between secure and insecure functions.
There is a potential attack vector in that the browser does not trigger
CORS requests for "simple requests", which includes POST requests that
are form or text content-types. An attacker can craft a form whose body
is valid JSON, and when a user visits attacker.com and submits that
form, it can be submitted to bank.com and bypass CORS.
Checking the content-type is application/json prevents this, because if
the content-type was set to application/json, then the browser would
send a CORS request—a preflight OPTIONS request to the server asking if
the current domain (and some other values) are whitelisted to send
requests to that server. If the server doesn't say attacker.com is
whitelisted, the browser will not send the real request to the server.
The `selectRep` documentation indicates that it choose the first
representation provided if no representation matches.
This was only partially correct, as `selectRep` required that no
representation matched **and** that the `Content-Type` header of the
response was empty.
This led to a problem because `defaultErrorhandler` relies on
`selectRep`, and when `selectRep` was unable to find a suitable
representation, it would "swallow" the original error that resulted in
`defaultErrorhandler` being called, and set a status 406 for all cases.
[weeder: Detect dead code](https://hackage.haskell.org/package/weeder)
deleted depends is
* mime-mail
* wai-eventsource
I sort build-depends, because duplicate depend some exist, to sort is detect to easy.
This is much more consistent than suddenly using a ReaderT for subsites.
Thanks to @jprider63 for the inspiration for this, I think it cleans
things up a lot!
* Just to be helpful to developers, give the maximum body length and their body length
* Also point developers to the function to change that value
(I don't think this leaks any sensitive info, because you can always binary search with different request body sizes to find the maximum allowable)
