Skip to main content

src/plume@xss_protection.erl

-module(plume@xss_protection).
-compile([no_auto_import, nowarn_unused_vars, nowarn_unused_function, nowarn_nomatch, inline]).
-define(FILEPATH, "src/plume/xss_protection.gleam").
-export([to_string/1]).
-export_type([xss_protection/0]).

-if(?OTP_RELEASE >= 27).
-define(MODULEDOC(Str), -moduledoc(Str)).
-define(DOC(Str), -doc(Str)).
-else.
-define(MODULEDOC(Str), -compile([])).
-define(DOC(Str), -compile([])).
-endif.

?MODULEDOC(
    " X-XSS-Protection\n"
    "\n"
    " This response header was a feature of Internet Explorer, Chrome and Safari\n"
    " that stopped pages from loading when they detected reflected cross-site\n"
    " scripting (XSS) attacks. These protections are largely unnecessary in\n"
    " modern browsers when sites implement a strong [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy)\n"
    " that disables the use of inline JavaScript. Setting the header to `0` is\n"
    " recommended to disable the buggy XSS auditor that older browsers may still\n"
    " ship with.\n"
    "\n"
    " See the [MDN docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-XSS-Protection).\n"
).

-type xss_protection() :: disabled | enabled | block.

-file("src/plume/xss_protection.gleam", 28).
?DOC(" Encode as the `X-XSS-Protection` header value.\n").
-spec to_string(xss_protection()) -> binary().
to_string(Value) ->
    case Value of
        disabled ->
            <<"0"/utf8>>;

        enabled ->
            <<"1"/utf8>>;

        block ->
            <<"1; mode=block"/utf8>>
    end.