Compile-time verified dynamic CSP headers

Dynamic CSP headers are tricky, especially if user input is involved. A URL such as https://foo.com/bar%20%2A can result in headers like:

Content-Security-Policy: script-src https://foo.com *

This kills the CSP.

yesod-csp tries to make such nastiness impossible. One way it helps is by wrapping URI from network-uri:

And not exporting (AKA hiding) the constructor. We can then force URLs to go through our escaping functions before anything will typecheck:

yesod-csp also uses non-empty lists as empty source lists don't make any sense.

Writing the ADTs out is OK:

But I felt that the yak was not quite shaved enough, so I wrote a parser for a subset of CSP and provide a quasiquoter so you can do:

This gets transformed into Haskell code at compile time and provides the same static assurances.

You can include your dynamic urls if you want:

You can even use uniplate to do cool transformations: