Swagger-ui requires 'unsafe-eval' in CSP Headers for SVG #7540
Comments
|
This is because SVGs are loaded as images which as per CSP is an "unsafe" source: <img src="data:image/svg+xml;base64,..." alt="Swagger UI" height="40">It should be replaced with inline SVG which has no such issues: <svg xmlns="http://www.w3.org/2000/svg">...</svg> |
|
Hello everybody, Given @silverwind answer, this seems like something that can be fixed quite easily. Is anybody interested in issuing a PR? |
|
@char0n probably this is due to the webpack pipeline. I think I had a look at it and the Image was imported via js |
|
Probably need to remove |
|
When can this change is available in swashbuckle .net core package means no inline styles and javascript and image displayed from data source in swagger index.html page? |
|
Hello, |
|
Hey, |
|
Any update on this? Still running into this issue on the latest version. |
|
Same here. I am using the most-strict CSP |
|
Do you plan to fix this in the near future? |
|
We need to use https://www.npmjs.com/package/@svgr/webpack avoid the CSP issue. |
char0n
added
security fix
|
Addressed the SVG assets in #9209 There are additional tree SVG embedded in SASS files. These needs to be handled as well.
|
|
Well with SVG assets embedded in CSS we have following options 1. extract as external SVGThis is possible to do but the build will have to have additional 2. refactor actual React componentsInstead of <label htmlFor="servers">
<select onChange={ this.onServerChange } value={currentServer}>
{ servers.valueSeq().map(
( server ) =>
<option
value={ server.get("url") }
key={ server.get("url") }>
{ server.get("url") }
{ server.get("description") && ` - ${server.get("description")}` }
</option>
).toArray()}
</select>
</label>We have to do: <label htmlFor="servers">
<ArrowDownIcon />
<select onChange={ this.onServerChange } value={currentServer}>
{ servers.valueSeq().map(
( server ) =>
<option
value={ server.get("url") }
key={ server.get("url") }>
{ server.get("url") }
{ server.get("description") && ` - ${server.get("description")}` }
</option>
).toArray()}
</select>
</label>This requires a lot of changes to existing React JSX. I don't really like any of those options and I'm inclined to keep the status quo. Anybody has any other idea? |
|
All right, I've merged #9209. It helps the situation a bit, but doesn't resolve the issue completely. We still need to resolve #7540 (comment) |
|
I'd say |
|
Actually I think the original issue is invalid and https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_eval_expressions |
|
If you decide to improve CSP compatibility, I would suggest doing it right, which would include avoiding |
|
Imho, SVGs as static hardcoded |
|
We'll most likely not be addressing the inline svg images in CSS. It's a big time investment not worth the effort. I'll do another analysis and the goal is to fit SwaggerUI into
We did enhance the situation, but complete remediation just for the sake of purity is currently out of question. We invite you to issue a PR though.
Agreed, It's not ideal but it's more than acceptable. I'll document the recommended CSP depending on the the plugin composition (with or without Standalone plugin). |
|
Using the Do you have more informations about this ? I'm curious, and currently trying to get rid of this CSP directive. |
|
I'm open to suggestions how to resolve this. I've already elaborated in #7540 (comment) what can be done. Both options have pros and cons. IMHO ideal is to go for option 2 - Are there any other options you can think of? I probed |
|
Imho, refactor to react components, but make it generic, e.g. |
|
Can we also include the script integrity for oauth2-redirect.html here swagger-ui/dist/oauth2-redirect.html Line 7 in e683759 Quick google search gave me |
|
The most strict CSP I have found that still enables the site to function fully is: worth noting these comments (but you should verify this is tolerable for your use case yourself): # "data:" is generally considered insecure, but limited to "img-src" it seems tolerable:
# see: https://security.stackexchange.com/a/167244/271464In flask I implement this with Talisman: import os
from flask import Flask
from flask_talisman import Talisman
from flask_swagger_ui import get_swaggerui_blueprint
ROOT_PATH: str = os.path.dirname(os.path.abspath(__file__))
SWAGGER_URL = "/openapi/swagger" # URL for exposing Swagger UI (without trailing '/')
API_URL = "/openapi.yaml" # Our API url (can be a local resource or url)
app = Flask(__name__, static_folder="", root_path=ROOT_PATH)
swaggerui_blueprint = get_swaggerui_blueprint(
SWAGGER_URL, # Swagger UI static files will be served at {SWAGGER_URL}/dist/
API_URL,
# config={}, # Swagger UI config overrides
# oauth_config={},
)
app.register_blueprint(swaggerui_blueprint)
# we need this CSP for talisman for swagger_ui to load:
# see: https://github.com/swagger-api/swagger-ui/issues/7540#issuecomment-1719302413
# and: https://github.com/swagger-api/swagger-ui/issues/7540#issue-1016654521
# and: https://github.com/GoogleCloudPlatform/flask-talisman?tab=readme-ov-file#content-security-policy
CSP = {
"default-src": ["'self'"],
# "data:" is generally considered insecure, but limited to "img-src" it seems tolerable:
# see: https://security.stackexchange.com/a/167244/271464
"img-src": ["'self'", "data:", "https://validator.swagger.io/"],
"script-src": ["'self'", "'sha256-5Fyhk/sAyk1LqSOCABSorU3lSp7aso7Uf5/J5HBwgDg='"],
}
talisman = Talisman(
app, strict_transport_security_preload=True, content_security_policy=CSP
) |
|
The checkboxes in the Authorize-overlay cannot be checked anymore or at least the check marks don't appear since the resource is blocked. Finally the redirect from an OAuth-provider is blocked because of the inline handler. With A proper CSP swagger-ui is not usable with (OAuth) authorization. (And it is tedious to obtain and copy bearer tokens every couple minutes to a simple bearer input field) |
|
Sorry if the question is dumb, but is it easy to compute the sha in the build pipeline and include in the nuget, or can we add something in our CI pipeline to compute it? |
|
I don't see the reason for JavaScript-quirks to simply have an input of type checkbox checked (that are to be transferred as part of a form submit). But I also tolerate people using pliers to pull on trousers. To answer the checksum-pipeline-question: as long as a checksum like in the comment above can be put into the appropriate resource. But with a CSP for a HTTP-server out of your control the answer cannot be other than »fix on customer side«. I can compute a checksum according to my needs which is tedious and breaks from time to time (with auto update tools for dependencies like Renovate). And others will return with the same error causing noise. All the means of security can either be made right (avoid the unnecessary extensions/ reduce), undermined (by relaxing if possible) or left aside (making it unusable for contexts with strict security policies). |
Q&A (please complete the following information)
Content & configuration
The default petstore example can be used.
Serve swagger-ui with a CSP that limits images, such as:
Describe the bug you're encountering
The swagger logo and icons are blocked when using a secure CSP.
Swagger-ui should not use inline data images in the css for SVGs.
To reproduce...
Serve swagger-ui with a CSP that limits images, such as:
This will cause the browser to block images with a url starting with
data:image/svg+xml;.The swagger-ui logo and expand/collapse icons are blocked.
Expected behavior
The swagger logo and icons should not be blocked when using a secure CSP.
Screenshots
Additional context or thoughts
This can be worked around by using the CSP:
But, as is explicit in the header name, this is unsafe.
CSP in swagger-ui is a larger problem than this bug report
In this bug report, I kept it specific to the SVG images as I hadn't seen them mentioned in a bug report thus far. But CSP seems to be generally overlooked. I see no reason that swagger-ui should not work with a basic CSP:
As-is, I've had to build a very custom (see below) CSP that includes the hashes of various things to do with swagger-ui (across various versions) and also accept that the logo will look broken, and the expand/collaps icons are missing. This is not a great experience for the user.
See also:
#5817
#3370
https://github.com/swagger-api/swagger-ui/issues?q=is%3Aissue+content-security-policy
The text was updated successfully, but these errors were encountered: