haskell/yesod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Explain how requireCheckJsonBody can prevent CSRF

Browse Source
This commit is contained in:
Maximilian Tagher 2018-07-31 21:22:39 -07:00 committed by GitHub
parent 6f76b5ff91
commit 1f05d2c72f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
yesod-core/Yesod/Core/Json.hs
View File

@ -133,8 +133,10 @@ requireJsonBody = do
J.Error s -> invalidArgs [pack s] J.Error s -> invalidArgs [pack s]
J.Success a -> return a J.Success a -> return a
-- | Same as 'requireJsonBody', but ensures that the mime type -- | Same as 'requireJsonBody', but ensures that the MIME type
-- indicates JSON content. -- indicates JSON content. Requiring a JSON content-type helps secure your site against
-- CSRF attacks (browsers will perform POST requests for form and text/plain content-types
-- without doing a CORS check, and those content-types can easily contain valid JSON).
requireCheckJsonBody :: (MonadHandler m, J.FromJSON a) => m a requireCheckJsonBody :: (MonadHandler m, J.FromJSON a) => m a
requireCheckJsonBody = do requireCheckJsonBody = do
ra <- parseCheckJsonBody ra <- parseCheckJsonBody