CSP violations due to inline styles

[dsebastien]

• swagger-ui version: 3.0.18
• a swagger file reproducing the issue: N/A

Hello,

I'm trying to use Swagger UI through the npm packages (in a web app). I first had an issue with the swagger-ui package and Webpack 2 because some code referred to 'process'. Then I switched to swagger-ui-dist which solved that issue.

Now my application starts but I get errors because I have a strict Content Security Policy (CSP) in place and it forbids inline styles.

Some are defined in the code of the bundle.

The ideal solution would be to avoid those entirely, but if you can't or don't have time to, then adding a nonce could also help us work around the issue by adding that nonce to our CSP.

You can find more details here: https://stackoverflow.com/questions/42922784/what-s-the-purpose-of-the-html-nonce-attribute-for-script-and-style-elements

[shockey]

@owenconti, correct me if I'm wrong - doesn't #3352 remove the inline styles from the npm builds?

[owenconti]

@shockey I don't think so. All the inline styles will still be inline. #3352 stopped webpack from "inlining" the entire stylesheet.

We'd need to either find a webpack plugin that can extract inline styles, or we'd need to move all of our inline styles into .scss files.

[shockey]

@owenconti thanks, I was referring to the entire stylesheet being inlined, but you have a good point - looks like strict CSP doesn't like style attribute inlining either.

@dsebastien, your Webpack 2 problems raise a concern - we've been trying to improve our support with it lately, and things seem to be going well lately - would you mind filing another ticket with more information about the problems you've encountered?

---

Google suggests that a new nonce be generated for each page load. It seems to me that adding a static nonce would create a false sense of security more than it would solve the problem - but this is the first time I've dug into CSP directives, so I may be misunderstanding the intent.

[doncorsean]

So this is fixed now?

Gettng Refused to execute inline script / inline style because it violates the following Content Security Policy directive

[shockey]

@doncorsean this is not fixed, this issue and #4187 are still open 😕

if this is something you need in the short term, feel free to open a PR!

[anujsethi06]

Any update on this? was this fixed?

[shockey]

@anujsethi06 still open - as I mentioned above, feel free to open a PR!

[opernes]

Hello everyone,
We are stuck for pushing swagger in production due to these CSP errors...
I do not understand what state this issue has. What shall we PR exactly? Has anything been fixed that need a PR?

Could you please help us secure our swaggers?

thanks in advance

[ferndot]

This is a pretty serious issue, could it be revisited please?

[dasiths]

This is something that could prevent SwaggerUI being used in prod systems for many people. As a work around I'm trialling using the hash as described here https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/

Any update on the current status or plans on resolving this issue?

[valentin-p]

Hi. When will this be released ? Do we know what will be the release version number already? Planning on using it for production as as soon as it's released. Thanks

[shockey]

Folks: per the Swagger Contribution Guide, please refrain from making comments that only serve to bump the issue indicate interest, or inquire for updates — use Reactions to vote for issues instead. Thanks!

[dgonzo27]

How has this still not been addressed? This is a serious security concern for anyone that wants to leverage the Swagger-UI. And if you are able to access the page on a test or production server, you need to check your CSP settings. It seems rather hackish to move inline styling from Swagger to a .scss file. Is there not a way to reference the script source?

[konrad-a]

A workaround that worked for me - adding hash of JavaScript from Swagger's index.html to a list of trusted scripts in Spring Security config:

@Configuration
@EnableGlobalMethodSecurity(
        prePostEnabled = true,
        securedEnabled = true,
        jsr250Enabled = true)
public class SecurityConfig  extends WebSecurityConfigurerAdapter {
(...)
protected void configure(HttpSecurity http) throws Exception {
        http    .httpBasic().disable()
                .formLogin().disable()
                .logout().disable()
                .headers(cust -> cust.contentSecurityPolicy(
                        "script-src 'self' 'sha256-....'; object-src 'none'; base-uri 'self'"))

[AdamMirza]

Is the fix listed at #5578 going to be released? The PR passed, but didn't get a review and is now out of date.

Any further update on getting this resolved?

[webron]

As you may have noticed, we've had some delays working on Swagger UI and Swagger Editor. We have a few relatively new team members who are getting into things. They're reviewing existing PRs, trying to resolve some issues, implement new features and improve the documentation. As you can imagine, it all takes time but we're making headway. Can't give you an ETA at the moment, but know this it's on our radar.

[robdmoore]

This issue has now been closed, but the PR that addressed it only fixed the inline styles (AFAICT). #4187 covers off the inline stylesscripts, but was closed in favour of tracking under this issue. Happy to be corrected if I've missed something?

[tim-lai]

@robdmoore SwaggerUI does not load external assets such as fonts or images.

[robdmoore]

Ah, oops, my comment wasn't very clear. I meant that inline scripts aren't taken care of. I've edited the original comment to make that clearer :)

[tasdevani21]

As @robdmoore mentioned, the issue with the inline scripts still exist. Can this issue be reopened to track that? With [email protected] (the latest available) this issue of the CSP violations due to the inline scripts still exist. The inline style issue seems to be fixed.

[rehevkor5]

For reference, another fix was added in #6148 in version v3.27.0. If you're using 3.0.0 of springfox-swagger, that is still using swagger-ui 3.26.2.

[CleyFaye]

I'm not sure if I'm at the right place, but this still definitely happens. There's a <style> tag in index.html containing a handful of styles. Were these reintroduced recently?