Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Swagger UI requires unsafe-inline style-src CSP

See original GitHub issue

Please take the time to search the repository, if your question has already been asked or answered.

  • What version of the library are you using?
implementation("io.springfox:springfox-boot-starter:3.0.0")

Is it the latest version?

Yes

What kind of issue is this?

  • Question. Is this a question about how to do a certain thing?

  • Bug report. If you’ve found a bug, spend the time to write a failing test.

https://github.com/springfox/springfox/blob/758113378de02fd339916f60810abc1d12bb547b/springfox-swagger-ui/src/web/swagger-ui.html#L11-L29

https://github.com/springfox/springfox/blob/758113378de02fd339916f60810abc1d12bb547b/springfox-swagger-ui/src/web/swagger-ui.html#L34

Are both incompatible with a strict CSP and require style-src: unsafe-inline, which is not acceptable from a security perspective.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:4
  • Comments:13

github_iconTop GitHub Comments

2reactions
lol768commented, Feb 10, 2021

#3726

Frankly I find these integrations to be disrespectful to the folks who take the time to report issues and write patches to fix them.

0reactions
stale[bot]commented, Jun 19, 2022

This issue has been automatically closed because it has not had recent activity. Please re-open a new issue if this is still an issue.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Swagger-ui appears to require 'unsafe-eval' in CSP Headers
Swagger -ui appears to require 'unsafe-eval' in CSP Headers #5817 ... defaultSrc 'self'; styleSrc: 'self' 'unsafe-inline'; imgSrc: 'self' ...
Read more >
Content Security Policy for Swagger OpenAPI UI - TheCodeBuzz
Refused to execute inline script because it violates the following Content Security Policy directive: “script-src 'self'”. Either the 'unsafe- ...
Read more >
Swagger UI is blank because of Content-Security-Policy
This issue is due to fastify helmet for me. import headers from "fastify-helmet";. Replacing the following in main.ts app.register(headers)'.
Read more >
How to lock down your CSP when using Swashbuckle
In this post we go through the adjustments we need to make to our app to have a strict CSP while using Swashbuckle....
Read more >
How To Secure Node.js Applications with a Content Security ...
A CSP is an HTTP header that provides an extra layer of security against ... To follow this tutorial, you will need the...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Springfox 3.0.0 brokes spring-cloud-stream

Next page

NullPointer exception on mapModel