Content-Security-Policy: script-src https://foo.com *
This kills the CSP.
And not exporting (AKA hiding) the constructor. We can then force URLs to go through our escaping functions before anything will typecheck:
yesod-csp also uses non-empty lists as empty source lists don't make any sense.
Writing the ADTs out is OK:
But I felt that the yak was not quite shaved enough, so I wrote a parser for a subset of CSP and provide a quasiquoter so you can do:
This gets transformed into Haskell code at compile time and provides the same static assurances.
You can include your dynamic urls if you want:
You can even use uniplate to do cool transformations: