-
Notifications
You must be signed in to change notification settings - Fork 416
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: add missing link to Content Security Policy #619
fix: add missing link to Content Security Policy #619
Conversation
bf901c5
to
6230cb5
Compare
@keniiig21, can you help verify this fixes your issue? |
Thanks @romanblanco, I was just about to add this and open a PR. I have an integration test that loads the swagger UI page and my tests were failing with a CSP error. This looks like it will fix the issue for me. Thanks! |
This CSP is also causing me a lot of other problems, since the page won't be able to connect to my API endpoints. Could we add a way to configure it and add our own domains? |
Same issue here... the "Try it out" functionality doesn't work at all for me due to CSP issues. It's supposed to just connect to my I get both of these issues:
|
In case others are waiting on a full fix, here's how I got everything working for my Rails app, I added the following to workaround the issue: # config/initializers/rswag_ui_csp_monkeypatch.rb
# Monkeypatch https://github.com/rswag/rswag/blob/master/rswag-ui/lib/rswag/ui/middleware.rb
# due to issues described in https://github.com/rswag/rswag/pull/619/files
module Rswag
module Ui
class Middleware
# ORIGINAL:
# def csp
# <<~POLICY.gsub "\n", ' '
# default-src 'self';
# img-src 'self' data:;
# font-src 'self' https://fonts.gstatic.com;
# style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
# script-src 'self' 'unsafe-inline';
# POLICY
# end
def csp
<<~POLICY.gsub "\n", ' '
default-src 'self';
img-src 'self' data: https://validator.swagger.io;
font-src 'self' https://fonts.gstatic.com;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
script-src 'self' 'unsafe-inline';
connect-src 'self' https://api.MYSITE.com https://api.MYSITE.test;
POLICY
end
end
end
end |
Just wanted to create a similar PR.
|
@ndbroadbent, would you create a separate PR to address the configuration of |
it fixes validation indicator loading (rswag#174 (comment))
6230cb5
to
19ab33a
Compare
Validation indicator has problems loading (see #174 (comment))
Problem
Link to validator.swagger.io is missing in Content Security Policy for UI middleware (merged in #263)
Solution
Add link into CSP.
This concerns this parts of the OpenAPI Specification:
--
The changes I made are compatible with:
Related Issues
Checklist
Steps to Test or Reproduce