Do not rely on CDN for swagger JS by default #389
Comments
|
hi @pombredanne, 1a: absolutely, there could be an attack on unpkg. someone could also smuggle something into swagger-ui build with a neatly constructed github action. in that case we would also be vulnerable by using the swagger-ui github releases, and we need to get a release from somewhere. 1b: also true, but loading 3rd party hosted assets is probably more the norm than the exception in today's internet. who hosts all their assets themselves anymore? nobody is forcing you to use the CDN. if you are so inclined, you are free to change those settings and host your swagger-ui build yourself. that is exactly the reason why the setting is there.
i don't understand. those are the settings. they are there to be changed. simply put a different value in your we will not host copies of our dependencies ourselves. cumbersome to update and very little benefit in it. feel free to suggest a better industry-recognized CDN and we can talk. 2: yes, potentially but that is the point. however, i would say that loading the asset would be the least of your problems. also mixed content is bad. if you serve your swagger-ui over |
|
closing this issue for now. feel free to comment if anything is missing or not working and we will follow-up. |
tfranzel
added
enhancement
|
the sidecar is here: https://github.com/tfranzel/drf-spectacular-sidecar convenience methods and doc added with aeda969. not relying on CDNs is now a lot easier. |
|
@tfranzel Thank you! |
This will help generate an Open API documentation now that we do not have CDN issues anymore with: tfranzel/drf-spectacular#389 Referenced-by: #454 Thanks-you-to: T. Franzel @tfranzel Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>
This will help generate an Open API documentation now that we do not have CDN issues anymore with: tfranzel/drf-spectacular#389 Referenced-by: #454 Thanks-you-to: T. Franzel @tfranzel Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>
This will help generate an Open API documentation now that we do not have CDN issues anymore with: tfranzel/drf-spectacular#389 Referenced-by: aboutcode-org#454 Thanks-you-to: T. Franzel @tfranzel Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>
This will help generate an Open API documentation now that we do not have CDN issues anymore with: tfranzel/drf-spectacular#389 Referenced-by: #454 Thanks-you-to: T. Franzel @tfranzel Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>
Describe the bug
These settings
drf-spectacular/drf_spectacular/settings.py
Line 46 in 4da04c2
are problematic on several levels:
Here I am using a local server which is HTTP and not HTTPS, and now this means that these data could be fetched over HTTP-only.
Expected behavior
These should be static resource instead or at the minimum be
https://by default This would make things much simpler IMHO.Alternatively if there were a way to override the setting such that I could provide my own locally that would be a good too.
The text was updated successfully, but these errors were encountered: