Adds middleware to your express app to serve the Swagger UI bound to your Swagger document. This acts as living documentation for your API hosted from within your app.
MIT License
1.42k
stars
225
forks
source link
Change SVG tag to comply with CSP header "style-src: self" #255
is problematic if you set your csp header "styleSrc" to "self". It enforces an "unsafe-inline". Even a nonce or a sha will not solve it (because nonce & sha does currently not work on style attributes).
The following line
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" **style="position:absolute;width:0;height:0"**>
is problematic if you set your csp header "styleSrc" to "self". It enforces an "unsafe-inline". Even a nonce or a sha will not solve it (because nonce & sha does currently not work on style attributes).
Proposal: Change it to
`