diff options
| author |  Adam Chlipala <adam@chlipala.net> | 2011-06-24 13:50:59 -0400 |
|---|---|---|
| committer | Adam Chlipala <adam@chlipala.net> | 2011-06-24 13:50:59 -0400 |
| commit | 57e22bb49145d0c4da64b8ff76540b286c55a448 (patch) | |
| tree | c714756284742c85cf82e7ea9b20de3a54626ccd | |
| parent | 25f4cc36cfd766a9d5ca7e6572b291c23fd16c5d (diff) | |
'noXsrfProtection' .urp directive
| -rw-r--r-- | doc/manual.tex | 1 | ||||
| -rw-r--r-- | src/cjr_print.sml | 2 | ||||
| -rw-r--r-- | src/compiler.sml | 1 | ||||
| -rw-r--r-- | src/settings.sig | 5 | ||||
| -rw-r--r-- | src/settings.sml | 6 |
5 files changed, 12 insertions, 3 deletions
diff --git a/doc/manual.tex b/doc/manual.tex index 79fdb5f9..f309b8ec 100644 --- a/doc/manual.tex +++ b/doc/manual.tex @@ -167,6 +167,7 @@ Here is the complete list of directive forms. ``FFI'' stands for ``foreign func \end{itemize} \item \texttt{link FILENAME} adds \texttt{FILENAME} to the list of files to be passed to the GCC linker at the end of compilation. This is most useful for importing extra libraries needed by new FFI modules. \item \texttt{minHeap NUMBYTES} sets the initial size for thread-local heaps used in handling requests. These heaps grow automatically as needed (up to any maximum set with \texttt{limit}), but each regrow requires restarting the request handling process. +\item \texttt{noXsrfProtection URIPREFIX} turns off automatic cross-site request forgery protection for the page handler identified by the given URI prefix. This will avoid checking cryptographic signatures on cookies, which is generally a reasonable idea for some pages, such as login pages that are going to discard all old cookie values, anyway. \item \texttt{onError Module.var} changes the handling of fatal application errors. Instead of displaying a default, ugly error 500 page, the error page will be generated by calling function \texttt{Module.var} on a piece of XML representing the error message. The error handler should have type $\mt{xbody} \to \mt{transaction} \; \mt{page}$. Note that the error handler \emph{cannot} be in the application's main module, since that would register it as explicitly callable via URLs. \item \texttt{path NAME=VALUE} creates a mapping from \texttt{NAME} to \texttt{VALUE}. This mapping may be used at the beginnings of filesystem paths given to various other configuration directives. A path like \texttt{\$NAME/rest} is expanded to \texttt{VALUE/rest}. There is an initial mapping from the empty name (for paths like \texttt{\$/list}) to the directory where the Ur/Web standard library is installed. If you accept the default \texttt{configure} options, this directory is \texttt{/usr/local/lib/urweb/ur}. \item \texttt{prefix PREFIX} sets the prefix included before every URI within the generated application. The default is \texttt{/}. diff --git a/src/cjr_print.sml b/src/cjr_print.sml index f2455636..9b747bcb 100644 --- a/src/cjr_print.sml +++ b/src/cjr_print.sml @@ -2619,7 +2619,7 @@ fun p_file env (ds, ps) = newline, string "if (*request == '/') ++request;", newline, - if couldWrite ek then + if couldWrite ek andalso not (Settings.checkNoXsrfProtection s) then box [string "{", newline, string "uw_Basis_string sig = ", diff --git a/src/compiler.sml b/src/compiler.sml index 75fc015f..229b40ff 100644 --- a/src/compiler.sml +++ b/src/compiler.sml @@ -780,6 +780,7 @@ fun parseUrp' accLibs fname = NONE => ErrorMsg.error ("invalid min heap '" ^ arg ^ "'") | SOME n => minHeap := n) | "alwaysInline" => Settings.addAlwaysInline arg + | "noXsrfProtection" => Settings.addNoXsrfProtection arg | _ => ErrorMsg.error ("Unrecognized command '" ^ cmd ^ "'"); read () diff --git a/src/settings.sig b/src/settings.sig index d5383bca..e3c2e7cd 100644 --- a/src/settings.sig +++ b/src/settings.sig @@ -1,4 +1,4 @@ -(* Copyright (c) 2008-2010, Adam Chlipala +(* Copyright (c) 2008-2011, Adam Chlipala * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -227,4 +227,7 @@ signature SETTINGS = sig val addAlwaysInline : string -> unit val checkAlwaysInline : string -> bool + + val addNoXsrfProtection : string -> unit + val checkNoXsrfProtection : string -> bool end diff --git a/src/settings.sml b/src/settings.sml index 69d67959..26aaad95 100644 --- a/src/settings.sml +++ b/src/settings.sml @@ -1,4 +1,4 @@ -(* Copyright (c) 2008-2010, Adam Chlipala +(* Copyright (c) 2008-2011, Adam Chlipala * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -570,4 +570,8 @@ val alwaysInline = ref SS.empty fun addAlwaysInline s = alwaysInline := SS.add (!alwaysInline, s) fun checkAlwaysInline s = SS.member (!alwaysInline, s) +val noXsrfProtection = ref SS.empty +fun addNoXsrfProtection s = noXsrfProtection := SS.add (!noXsrfProtection, s) +fun checkNoXsrfProtection s = SS.member (!noXsrfProtection, s) + end |