Doesn't work with CSP #505
Comments
|
To reduce drift and ongoing maintenance, I want to avoid significant customization of the swagger-ui assets. I see there's an open issue for this in the swagger-ui library (swagger-api/swagger-ui#3370) and as soon as they have an out-of-the-box solution, I'll be happy to incorporate that version into Swashbuckle. In the meantime, Swashbuckle does allow you to inject your own version of the index.html (see readme for details) so you could implement the customization yourself without too much effort. Moving to the backlog for now. |
|
This workaround seems to work for me, using NWebSec to add CSP headers: // Content Security Policy for static files (.js, .css, .png etc).
// Lock down all inline and external content, by default.
app.UseCsp(opts => opts
.BlockAllMixedContent()
.FontSources(s => s.Self())
.StyleSources(s => s.Self())
.ImageSources(s => s.Self())
.ScriptSources(s => s.Self()));
// Workaround for Swagger UI inline scripts/styles/images:
// Doesn't work with CSP https://github.com/domaindrivendev/Swashbuckle.AspNetCore/issues/505
app.UseWhen(c => c.Request.Path.StartsWithSegments("/swagger"), swaggerApp =>
{
// Hashes were logged by Chrome console on Swashbuckle.AspNetCore.SwaggerUI 6.2.3.
swaggerApp.UseCsp(opts => opts
.BlockAllMixedContent()
.FontSources(s => s.Self())
// Allow specific inline styles.
.StyleSources(s => s.Self().CustomSources(
"sha256-wkAU1AW/h8YFx0XlzvpTllAKnFEO2tw8aKErs5a26LY="))
// Allow inline images.
// 1. SVG image <img src="data:image/svg+xml;charset=utf-8,<svg..." />
.ImageSources(s => s.Self().CustomSources("data:"))
// Allow specific inline scripts.
// 1. Script with workaround for Edge and window.fetch
// 2. Script that calls ui.initOAuth(oauthConfigObject) on windows.onload.
.ScriptSources(s => s.Self().CustomSources(
"sha256-Tui7QoFlnLXkJCSl1/JvEZdIXTmBttnWNxzJpXomQjg=",
"sha256-7u+bBensrxRNXlfstcoTcU6DIf4Juv6l8m1Iw8EbkFY=")));
});The hashes seem unique to my APIs, so you may want to adjust the hashes or simply allow |
Hi, @angularsen! |
|
@evgenisokolov I'm not the maintainer of this project if you were asking that? It's been 1 year since any commits on this project, so it seems a bit stale and no pull requests are getting merged. Not sure what's going on. |
|
According to Microsoft's docs on OpenAPI, there are two community packages that offer Swagger UI:
The other one seems actively maintained at least, but I haven't tried it: |
|
Okay, some more chatter here about the inactivity of this project: |
|
This is something we're unlikely to tackle as per the original comment about the complexity it brings, as well as still depending on swagger-ui itself being CSP friendly. If you have a need to use a strict Content Security Policy, I suggest you not use the SwaggerUI package at all and instead ship your own index.html file that you can customize to use CSP features such as specifying an I also maintain a GitHub Action that can update such files for you if you consume them from a CDN: martincostello/update-static-assets |
Unable to use this due to the inline script, when using a Content Security Policy without enabling unsafe-inline.
Can this be fixed please?
The text was updated successfully, but these errors were encountered: