search

scottie1984 / swagger-ui-express

Adds middleware to your express app to serve the Swagger UI bound to your Swagger document. This acts as living documentation for your API hosted from within your app.
MIT License
1.42k stars 225 forks source link

Change SVG tag to comply with CSP header "style-src: self" #255

Open schmolst opened 3 years ago

schmolst commented 3 years ago

The following line

<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" **style="position:absolute;width:0;height:0"**>

is problematic if you set your csp header "styleSrc" to "self". It enforces an "unsafe-inline". Even a nonce or a sha will not solve it (because nonce & sha does currently not work on style attributes).

Proposal: Change it to

`

` This should work as well and does not cause CSP problems
scottie1984 commented 2 years ago

There is an open issue with Swagger UI that would need resolved before I could begin sorting swagger-ui-express

https://github.com/swagger-api/swagger-ui/issues/7540