Update how the JavaScript run function is invoked in oauth2-redirect.html #6393
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…html We're embedding Swagger UI in an application that defines a content security policy — see [an introduction on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) if necessary. One issue we're facing is that the `oauth2-redirect.html` file uses an inline event handler, `<body onload="run()">`, which is not supported by Chrome or Edge. The official Chrome docs mention that those should be rewritten using the `addEventListener` method. They also recommend to use the `DOMContentLoaded` event on the document rather than the `load` event on the window, as the former "generally triggers more quickly". See <https://developer.chrome.com/extensions/contentSecurityPolicy#:~:text=The%20inline%20event%20handler,more%20quickly> Because of this, we currently have to maintain a slightly modified copy of `oauth2-redirect.html` file to which we apply this change. We're hoping that you'll accept that change to be made upstream. We've tested it on Chrome, the new Edge, and Firefox. Related issue: <swagger-api#5720>
|
@mderriey PR merged! Thanks for the contribution! |
ypsah
added a commit
to ypsah/fastapi
that referenced
this pull request
Jul 24, 2022
When using OpenIDConnect and the "authorization_code with PKCE" flow, swagger-ui will name the flow `authorization_code` rather than `authorizationCode`. [0] The old HTML document generated by fastapi only handled the latter spelling. This meant that trying to authenticate using the swagger UI would fail with: ``` auth errorError: Bad Request, error: invalid_request, description: Missing parameter: code ``` This commit updates the HTML used by fastapi for the `docs/oauth2-redirect` using the latest version published by swagger-ui [1] which brings in a fix for the bug described above. The rest of the changes relate to improving support for Chrome and Edge. [2] [0] https://github.com/swagger-api/swagger-ui/blob/626defc839f80f0d08105cb72b8f6b7d3334db9c/src/core/components/auth/oauth2.jsx#L130 [1] https://github.com/swagger-api/swagger-ui/blob/626defc839f80f0d08105cb72b8f6b7d3334db9c/dev-helpers/oauth2-redirect.html [2] swagger-api/swagger-ui#6393
ypsah
added a commit
to ypsah/fastapi
that referenced
this pull request
Jul 24, 2022
When using OpenIDConnect and the "authorization_code with PKCE" flow, swagger-ui will name the flow `authorization_code` rather than `authorizationCode`. [0] The old HTML document generated by fastapi only handled the latter spelling. This meant that trying to authenticate using the swagger UI would fail with: ``` auth errorError: Bad Request, error: invalid_request, description: Missing parameter: code ``` This commit updates the HTML used by fastapi for the `docs/oauth2-redirect` using the latest version published by swagger-ui [1] which brings in a fix for the bug described above. The rest of the changes relate to improving support for Chrome and Edge. [2] [0] https://github.com/swagger-api/swagger-ui/blob/626defc839f80f0d08105cb72b8f6b7d3334db9c/src/core/components/auth/oauth2.jsx#L130 [1] https://github.com/swagger-api/swagger-ui/blob/626defc839f80f0d08105cb72b8f6b7d3334db9c/dev-helpers/oauth2-redirect.html [2] swagger-api/swagger-ui#6393
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Update how the JavaScript
runfunction is invoked inoauth2-redirect.htmlto make it easier to allow in CSP.Description
The change moves away from using an inline event handler
<body onload="run()">to a programmatic event handler.Motivation and Context
We're embedding Swagger UI in an application that defines a content security policy — see an introduction on MDN if necessary.
One issue we're facing is that the
oauth2-redirect.htmlfile uses an inline event handler,<body onload="run()">, which is not supported by Chrome or Edge.The official Chrome docs mention that those should be rewritten using the
addEventListenermethod.They also recommend to use the
DOMContentLoadedevent on the document rather than theloadevent on the window, as the former "generally triggers more quickly".See https://developer.chrome.com/extensions/contentSecurityPolicy#:~:text=The%20inline%20event%20handler,more%20quickly
Because of this, we currently have to maintain a slightly modified copy of
oauth2-redirect.htmlfile to which we apply this change.We're hoping that you'll accept that change to be made upstream.
Related issue: #5720
How Has This Been Tested?
We've tested performing an OAuth 2 implicit flow with Chrome, the new Edge, and Firefox after allowing the specific hash of the contents of the
<script>tag in our content security policy.Screenshots (if appropriate):
N/A
Checklist
My PR contains...
src/is unmodified: changes to documentation, CI, metadata, etc.)package.json)My changes...
Documentation
Automated tests