I am getting a problem where the UI is blank once I enable the CSP that is part of Rails 5.2. The reason is that the inline script tags which load the UI are blocked since I don't have unsafe-inline in my script-src.
Rails has the ability to let a controller override the CSP for a certain context but since the UI is served via middleware we don't have that option to override. I can add unsafe-inline to my global CSP and the problem is fixed but then my entire app allows inline scripts. :(
When looking at the Rails CSP module I noticed that if the page already has a CSP header it won't add the global config. I'm thinking this is the answer. Figure out what CSP header is appropriate for Swagger UI and have the RSwag middleware include that header.
I can do the leg work on making a PR for this but wanted to confirm this is the desired strategy and something you consider in-scope for this project.
Didn't get any feedback on this so don't want to create a PR unless I think it will be accepted. But if anybody else hits this issue and doesn't want to open up their entire app for the API docs you can use this monkey-patch to delivery a wider CSP just for Rswag:
module Rswag::Ui::CSP
def call env
_, headers, _ = response = super
headers['Content-Security-Policy'] = <<~POLICY.gsub "\n", ' '
default-src 'self';
img-src 'self' data: https://online.swagger.io;
font-src 'self' https://fonts.gstatic.com;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval';
POLICY
response
end
end
Rswag::Ui::Middleware.prepend Rswag::Ui::CSP
Place this in your lib directory and require it at the bottom of your application.rb file.
Didn't get any feedback on this so don't want to create a PR unless I think it will be accepted. But if anybody else hits this issue and doesn't want to open up their entire app for the API docs you can use this monkey-patch to delivery a wider CSP just for Rswag:
module Rswag::Ui::CSP def call env _, headers, _ = response = super headers['Content-Security-Policy'] = <<~POLICY.gsub "\n", ' ' default-src 'self'; img-src 'self' data: https://online.swagger.io; font-src 'self' https://fonts.gstatic.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; POLICY response end end Rswag::Ui::Middleware.prepend Rswag::Ui::CSPPlace this in your
libdirectory and require it at the bottom of yourapplication.rbfile.
It works great for me.
Ah, Thanks for bringing this to my attention, yes CSP is something that should work for the middleware.
Lets see about getting something tested and merged as CSP is an important security feature to many.
Most helpful comment
Didn't get any feedback on this so don't want to create a PR unless I think it will be accepted. But if anybody else hits this issue and doesn't want to open up their entire app for the API docs you can use this monkey-patch to delivery a wider CSP just for Rswag:
Place this in your
libdirectory and require it at the bottom of yourapplication.rbfile.