Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Swagger is blocked by CSP

See original GitHub issue

When I visit http://localhost:3000/swagger-html, I got below error in the console.

Refused to load the script 'https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.21.0/swagger-ui-bundle.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

It turns out that the Content Security Policy enabled by helmet blocks loading swagger related files from CDN, since this issue is gone after comment out app.use(helmet()).

Issue Analytics

State:
Created 2 years ago
Comments:5 (5 by maintainers)

Top GitHub Comments

1reaction

javieravilescommented, May 25, 2021

app.use(helmet.contentSecurityPolicy({
        directives:{
          defaultSrc:["'self'"],
          scriptSrc:["'self'",'cdnjs.cloudflare.com'],
          styleSrc:["'self'",'cdnjs.cloudflare.com', 'fonts.googleapis.com'],
          fontSrc:["'self'",'fonts.gstatic.com']}}));

this would actually make it, but then the inline styles and scripts would get rejected, and adding ‘unsafe-inline’ as part of the CSP does not seem to be a good idea… Even though I understand by default are allowed since it did not complain before, so I’m adding it for now.

0reactions

javieravilescommented, May 25, 2021

Looking perfect now with this solution, thanks again for catching it!

Top Results From Across the Web

Swagger-ui requires 'unsafe-eval' in CSP Headers for SVG

The swagger logo and icons are blocked when using a secure CSP. Swagger-ui should not use inline data images in the css for...

Swagger UI is blank because of Content-Security-Policy

Yes, it was blocked by an internal filter not to support the Content-Security. I have made it to allow it again. – Saurabh...

How to lock down your CSP when using Swashbuckle

In this post we go through the adjustments we need to make to our app to have a strict CSP while using Swashbuckle....

Content Security Policy for Swagger OpenAPI UI - TheCodeBuzz

A CSP header enables you to control the sources/content on your site that the browser can load. So this header gives you the...

How to fix 'because it violates the following content security ...

Blocked by Content Security Policy. 'csp error because it violates the following content security policy directive'. Content Security Policy error message.