Rswag: Content Security Policy for UI middleware

Created on 11 Dec 2018  路  3Comments  路  Source: rswag/rswag

I am getting a problem where the UI is blank once I enable the CSP that is part of Rails 5.2. The reason is that the inline script tags which load the UI are blocked since I don't have unsafe-inline in my script-src.

Rails has the ability to let a controller override the CSP for a certain context but since the UI is served via middleware we don't have that option to override. I can add unsafe-inline to my global CSP and the problem is fixed but then my entire app allows inline scripts. :(

When looking at the Rails CSP module I noticed that if the page already has a CSP header it won't add the global config. I'm thinking this is the answer. Figure out what CSP header is appropriate for Swagger UI and have the RSwag middleware include that header.

I can do the leg work on making a PR for this but wanted to confirm this is the desired strategy and something you consider in-scope for this project.

enhancement help wanted

Most helpful comment

Didn't get any feedback on this so don't want to create a PR unless I think it will be accepted. But if anybody else hits this issue and doesn't want to open up their entire app for the API docs you can use this monkey-patch to delivery a wider CSP just for Rswag:

module Rswag::Ui::CSP
  def call env
    _, headers, _ = response = super
    headers['Content-Security-Policy'] = <<~POLICY.gsub "\n", ' '
      default-src 'self';
      img-src 'self' data: https://online.swagger.io;
      font-src 'self' https://fonts.gstatic.com;
      style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
      script-src 'self' 'unsafe-inline' 'unsafe-eval';
    POLICY
    response
  end
end

Rswag::Ui::Middleware.prepend Rswag::Ui::CSP

Place this in your lib directory and require it at the bottom of your application.rb file.

All 3 comments

Didn't get any feedback on this so don't want to create a PR unless I think it will be accepted. But if anybody else hits this issue and doesn't want to open up their entire app for the API docs you can use this monkey-patch to delivery a wider CSP just for Rswag:

module Rswag::Ui::CSP
  def call env
    _, headers, _ = response = super
    headers['Content-Security-Policy'] = <<~POLICY.gsub "\n", ' '
      default-src 'self';
      img-src 'self' data: https://online.swagger.io;
      font-src 'self' https://fonts.gstatic.com;
      style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
      script-src 'self' 'unsafe-inline' 'unsafe-eval';
    POLICY
    response
  end
end

Rswag::Ui::Middleware.prepend Rswag::Ui::CSP

Place this in your lib directory and require it at the bottom of your application.rb file.

Didn't get any feedback on this so don't want to create a PR unless I think it will be accepted. But if anybody else hits this issue and doesn't want to open up their entire app for the API docs you can use this monkey-patch to delivery a wider CSP just for Rswag:

module Rswag::Ui::CSP
  def call env
    _, headers, _ = response = super
    headers['Content-Security-Policy'] = <<~POLICY.gsub "\n", ' '
      default-src 'self';
      img-src 'self' data: https://online.swagger.io;
      font-src 'self' https://fonts.gstatic.com;
      style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
      script-src 'self' 'unsafe-inline' 'unsafe-eval';
    POLICY
    response
  end
end

Rswag::Ui::Middleware.prepend Rswag::Ui::CSP

Place this in your lib directory and require it at the bottom of your application.rb file.

It works great for me.

Ah, Thanks for bringing this to my attention, yes CSP is something that should work for the middleware.
Lets see about getting something tested and merged as CSP is an important security feature to many.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

anttikiiveri picture anttikiiveri  路  3Comments

vittoriabitton picture vittoriabitton  路  5Comments

salzig picture salzig  路  5Comments

Kutomore picture Kutomore  路  3Comments

DalfDev picture DalfDev  路  3Comments