Open dmeierotto opened 4 years ago
Hi 😄
I'm having the same issue.
I already updated to version `^3.35.0', but the issue is not resolved. Any ideas on how to tackle this?
Problem is the oauth2-redirect.html contains inline scripting.
When using script-src 'self' - browser will not allow inline scripting.
To fix this one is to use script-src 'unsafe-inline' - which defeats the purpose of using CSP.
More on the topic: https://content-security-policy.com/unsafe-inline/
Adding a hash to CSP config is a possibility - but cumbersome and error-prone.
A Permanent fix?: Store the script block in a file and reference it from the html file should solve the issue.
Hi there!
Q&A
Content & configuration
Configuration
Describe the bug you're encountering
We are implementing CSP rules on a site hosting the swagger UI. The oauth-redirect.html has an inline event handler that is not possible to white list using CSP Options.
oauth-redirect.html
To reproduce...
Steps to reproduce the behavior:
CSP Error: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-hQoyAYxxdlQX6mYg//3SgDUdhiDx4sZq5ThHlCL8Ssg=' 'sha256-wSMjdhDGsmL8uer6UgaOodrMBixq2O/zf4+5e/MFH0A=' 'sha256-eGAYk6fd1okMa1sD6UOTFlv8sY5fE/9GBBbK/dRq+HU='". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
Expected behavior
Redirect should work with csp script-src 'self'
The inline event handler (
onload="run()"
) should be moved to the script block so the entire block can be whitelisted with a hash. E.g.