-module(plume@xss_protection).
-compile([no_auto_import, nowarn_unused_vars, nowarn_unused_function, nowarn_nomatch, inline]).
-define(FILEPATH, "src/plume/xss_protection.gleam").
-export([to_string/1]).
-export_type([xss_protection/0]).
-if(?OTP_RELEASE >= 27).
-define(MODULEDOC(Str), -moduledoc(Str)).
-define(DOC(Str), -doc(Str)).
-else.
-define(MODULEDOC(Str), -compile([])).
-define(DOC(Str), -compile([])).
-endif.
?MODULEDOC(
" X-XSS-Protection\n"
"\n"
" This response header was a feature of Internet Explorer, Chrome and Safari\n"
" that stopped pages from loading when they detected reflected cross-site\n"
" scripting (XSS) attacks. These protections are largely unnecessary in\n"
" modern browsers when sites implement a strong [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy)\n"
" that disables the use of inline JavaScript. Setting the header to `0` is\n"
" recommended to disable the buggy XSS auditor that older browsers may still\n"
" ship with.\n"
"\n"
" See the [MDN docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-XSS-Protection).\n"
).
-type xss_protection() :: disabled | enabled | block.
-file("src/plume/xss_protection.gleam", 28).
?DOC(" Encode as the `X-XSS-Protection` header value.\n").
-spec to_string(xss_protection()) -> binary().
to_string(Value) ->
case Value of
disabled ->
<<"0"/utf8>>;
enabled ->
<<"1"/utf8>>;
block ->
<<"1; mode=block"/utf8>>
end.