-
Notifications
You must be signed in to change notification settings - Fork 484
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add integrity hash on swagger-ui inline scripts #2667
Comments
Would you like to create a PR for this issue? |
@kamilmysliwiec Yeah, do you want me to hardcode (= kind of a burden when the https://github.com/nestjs/swagger/blob/master/package.json#L31 dependency is upgraded) or dynamically compute the integrity (adds a new dependency https://github.com/zkat/ssri#from-data)? |
I'd rather steer clear of adding more external dependencies to this package |
@kamilmysliwiec May I have some preliminary feedback on #2680 before writing tests? I am particularly interested about your thoughts for this commit b29efb0 which breaks one of the E2E tests. I also did not find the |
Let's track this here #2680 |
Is there an existing issue that is already proposing this?
Is your feature request related to a problem? Please describe it
I enabled CSP in my apps and I have issues with the redirect from
/oauth2-redirect.html
within my OIDC flow in swagger-ui for my non-prod workflows. My current workaround looks like this:Describe the solution you'd like
I'd like to have the
integrity
attribute on the script tags as described in https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity.swagger/lib/swagger-ui/constants.ts
Lines 73 to 75 in c20bd9b
Teachability, documentation, adoption, migration strategy
Users can use it as follows in their code when using CSP:
where
shaXXX-XXXXXXXXXXXXXX...
resembles the integrity hash from the oauth2-redirect.html.What is the motivation / use case for changing the behavior?
As mentioned above, I want to use CSP headers and the swagger-ui is giving me a hard time with the inline scripts without the integrity hash that could be whitelisted in CSP.
The text was updated successfully, but these errors were encountered: