Support CSP 2.0

[ygale]

The W3C CSP 1.0 specification, which this library implements, is deprecated and no longer supported or recommended. The current CSP specification is CSP 2.0, which is (for the purposes of this library) just an expanded version of CSP 1.0 with a handful of new directives and some new allowed values.

The major browsers are currently in the process of rolling out support for 2.0 in their latest versions.

Would you consider upgrading this library to support CSP 2.0?

I cannot do the whole upgrade myself at this time, but I would be happy to provide a PR to support frame-anscestors, which is the directive that I currently need.

There are two questions to consider about this:

1. Should the types and/or API of the library reflect the difference between CSP 1.0 and 2.0? In my opinion - no, that would be an unnecessary complication. CSP 2.0 is backward compatible with CSP 1.0, and both the security community and the browser providers seem to be very intent on upgrading quickly. I would just indicate in Haddock comments which parts of the syntax are CSP-2.0-only.
2. Can the upgrade to CSP 2.0 be done piecemeal, or must it be done all at once? Perhaps I'm biased because at the moment I only need one specific feature from CSP 2.0, but it seems to me that piecemeal is fine and more practical. (But of course if you want to do it all at once and it will actually get done promptly, that would be great!)

[bobjflong]

Hi @ygale !

Should the types and/or API of the library reflect the difference between CSP 1.0 and 2.0? In my opinion - no, that would be an unnecessary complication. CSP 2.0 is backward compatible with CSP 1.0, and both the security community and the browser providers seem to be very intent on upgrading quickly. I would just indicate in Haddock comments which parts of the syntax are CSP-2.0-only.

I agree that we should just support working CSP rules and perhaps document what version they conform to.

Can the upgrade to CSP 2.0 be done piecemeal, or must it be done all at once? Perhaps I'm biased because at the moment I only need one specific feature from CSP 2.0, but it seems to me that piecemeal is fine and more practical. (But of course if you want to do it all at once and it will actually get done promptly, that would be great!)

Piecemeal is totally fine by me. So please do feel free to open a PR with the new feature you need.

It's now definitely on my radar to do a larger update with the new stuff, perhaps over the Christmas holidays.

[ygale]

I see you added frame-anscestors yourself - thanks! Could you please upload to hackage and add to stackage?

[bobjflong]

Extremely sorry about the delay, I've pushed a 2.2 to Hackage which has frame-ancestors support. I'll consider Stackage but I'm a little concerned about the maintenance overhead. Hopefully you can get what you need with extra-deps!

[ygale]

Thanks!

Maintenance overhead for adding a package to stackage is near zero. Theoretically exactly zero - if you totally ignore it, that only means that if some dependency problem comes up in the future, your package gets knocked out of later stackage releases until you do whatever trivial little cabal dependency version bump was needed. Since you anyway are not doing PVP, probably exactly zero in practice.

Even if something more major comes up - like, say a breaking change to Yesod that requires refactoring, or incompatibility with some future version of GHC - then still, the worst that can happen is that you fall back out of stackage until you get around to catching up.

That said, if you prefer, I'd be happy to sign on as the maintainer on stackage.

[bobjflong]

Cool, I've an open PR with stackage now: commercialhaskell/stackage#3041

Thanks for the changes and advice, and helping me revive this repo! 🍻

[ygale]

Thanks! "Revive"? I hope not, we've been using it in production on some major web sites. Thanks for a great package. We'll talk some time about those beers...

[bobjflong]

Cool! I just meant that it has been good to merge your changes and get stackage sorted out. It's heartening to hear that it's been useful!