Closed p4paul closed 1 month ago
I can use the generated hash, that seems to work too. I guess a hash is better than just allowing any 'unsafe-inline'
Hey Paul, is there any reason why are you trying to limit js execution globally in this case? Swagger bundle comes from trusted source & it's limited to your own code. I'd rather replace global header config with a manual before http handler that'd set this only on pages that should use it, so e.g. excluding swagger endpoints.
The front-end part of the application needs the CSP (lots of JavaScript) and typically we don't allow 'unsafe-inline'. I guess Swagger is the exception as this comes directly from the back-end (not from React). The global header config seemed convenient, however as you say I could do it in before filters or possibly from the front with react-csp.
I'll close it, becuase I don't think this is something we want to address in the plugin itself - at least not for now.
I have set a GlobalHeadersConfig security policy CSP. In order to get the Swagger page to load I have to add
'unsafe-inline'
toscript-src
. Any ideas how this could be more secure?Without it I get the page error: