-
Notifications
You must be signed in to change notification settings - Fork 368
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
redirectToPost implementation is incompatible with strict Content-Security-Policy #1647
Comments
I don't think So I guess I'm OK with moving to the Idea for implementation: what if we make a new method in the |
@charukiewicz I actually struggled with the same earlier, but it was merged already here: #1620 I wrote more about working with a CSP in Yesod, which you can read here: https://jezenthomas.com/implementing-csp-in-yesod/ You might find it useful. |
@jezen Thanks for the link and suggesting this approach. This is very helpful. Looks like using a |
I think that given your immediate issue is resolved, this thread can be closed. I do agree with your point here:
But I think this is a separate (and much larger) conversation to be had. |
The Problem
Work working with
yesod-auth
I ran into a strange issue where my/auth/logout
path stopped automatically redirecting me to my intended logout page, and instead left me in the intermediary "Continue" state. It turns out that this issue was caused by aContent-Security-Policy
header that does not allowunsafe-inline
, blocking inline JavaScript and instead throwing an error.Turns out that this issue is caused by the current implementation of
redirectToPost
, which relies on an inline<script>
tag.My Attempted Solution
I tried to refactor
redirectToPost
, currently implemented as:My approach to eliminate the inline
<script>
tag was to convert thewindow.onload
line to a widget and load it into the hamlet body. Here's what I tried to do:I believe this approach would work, but
toWidget
is defined inYesod.Core.Widget
, which depends onYesod.Core.Handler
(the module with the change), so that's not really an option.Another Possible Solution
A different solution would be to make the
GET
handler (getLogoutR
) delete the user's credentials, with no need for this intermediary page. Currently it is implemented as:yesod/yesod-auth/Yesod/Auth.hs
Lines 468 to 471 in 463fd54
This approach was suggested in #1475 (for reasons unrelated to a CSP), but rejected, for the reason that
GET
requests should not modify server state.How to Proceed
I started my first-ever Yesod project a few months ago, and while I very much like the framework, I think one of the project's goals should be to strive for compatibility with modern web standards, especially ones related to security. A strict Content-Security-Policy is one of the examples of that. To quote Mozilla:
I understand the argument for not making
GET
requests modify server state. If that isn't a good option, I am curious to hear if anyone else has thoughts on the approach I outlined above (relying on making the automatic redirect a widget rather than an inline<script>
), or if anyone has any thoughts on this issue in general.The text was updated successfully, but these errors were encountered: