search

javalin / javalin-openapi

Annotation processor for compile-time OpenAPI & JsonSchema, with out-of-the-box support for Javalin 5.x, Swagger & ReDoc
https://github.com/javalin/javalin-openapi/wiki
Apache License 2.0
45 stars 17 forks source link

Trying to use the /swagger end-point with a contentSecurityPolicy #222

Closed p4paul closed 1 month ago

p4paul commented 2 months ago

I have set a GlobalHeadersConfig security policy CSP. In order to get the Swagger page to load I have to add 'unsafe-inline' to script-src. Any ideas how this could be more secure?

globalHeadersConfig.contentSecurityPolicy("" +
    "default-src 'self';" +
    "script-src 'self' 'unsafe-inline' ...);

Without it I get the page error:

Refused to execute inline script because it violates the following Content Security Policy directive:
"script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-+8obL...88='), or a nonce
('nonce-...') is required to enable inline execution.
p4paul commented 2 months ago

I can use the generated hash, that seems to work too. I guess a hash is better than just allowing any 'unsafe-inline'

dzikoysk commented 2 months ago

Hey Paul, is there any reason why are you trying to limit js execution globally in this case? Swagger bundle comes from trusted source & it's limited to your own code. I'd rather replace global header config with a manual before http handler that'd set this only on pages that should use it, so e.g. excluding swagger endpoints.

p4paul commented 2 months ago

The front-end part of the application needs the CSP (lots of JavaScript) and typically we don't allow 'unsafe-inline'. I guess Swagger is the exception as this comes directly from the back-end (not from React). The global header config seemed convenient, however as you say I could do it in before filters or possibly from the front with react-csp.

dzikoysk commented 1 month ago

I'll close it, becuase I don't think this is something we want to address in the plugin itself - at least not for now.