Skip to content

Commit

Permalink
Fix for swagger unsafe inline
Browse files Browse the repository at this point in the history
  • Loading branch information
@edlouth
edlouth committed Dec 11, 2023
1 parent 6cb67ff commit 6e5af6e
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 23 deletions.
48 changes: 26 additions & 22 deletions grai-server/app/templates/swagger-ui.html
View file
Original file line number Diff line number Diff line change
@@ -1,31 +1,35 @@
<!DOCTYPE html>
<html>

<head>
<head>
<title>Swagger</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="https://unpkg.com/swagger-ui-dist@3/swagger-ui.css">
</head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<link
rel="stylesheet"
type="text/css"
href="https://unpkg.com/swagger-ui-dist@3/swagger-ui.css"
/>
<meta id="csrftoken" name="csrftoken" content="{csrftoken}" />
</head>

<body>
<body>
<div id="swagger-ui"></div>
<script src="https://unpkg.com/swagger-ui-dist@3/swagger-ui-bundle.js"></script>
<script>
const ui = SwaggerUIBundle({
url: "{% url 'schema' %}",
dom_id: '#swagger-ui',
presets: [
SwaggerUIBundle.presets.apis,
SwaggerUIBundle.SwaggerUIStandalonePreset
],
layout: "BaseLayout",
requestInterceptor: (request) => {
request.headers['X-CSRFToken'] = "{{ csrf_token }}"
return request;
}
})
const ui = SwaggerUIBundle({
url: "{% url 'schema' %}",
dom_id: "#swagger-ui",
presets: [
SwaggerUIBundle.presets.apis,
SwaggerUIBundle.SwaggerUIStandalonePreset,
],
layout: "BaseLayout",
requestInterceptor: (request) => {
request.headers["X-CSRFToken"] =
document.getElementById("csrftoken").innerHTML;
return request;
},
});
</script>
</body>

</body>
</html>
2 changes: 1 addition & 1 deletion grai-server/app/the_guide/settings/base.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -438,7 +438,7 @@ def inner(value: str | bool) -> bool:
# Content Security Policy
CSP_IMG_SRC = "'self' data: https://cdn.redoc.ly"
CSP_STYLE_SRC = "'self' 'unsafe-inline' https://unpkg.com https://fonts.googleapis.com"
CSP_SCRIPT_SRC = "'self' 'unsafe-inline' blob: https://unpkg.com https://cdn.jsdelivr.net/npm/redoc@latest/bundles/redoc.standalone.js"
CSP_SCRIPT_SRC = "'self' blob: https://unpkg.com https://cdn.jsdelivr.net/npm/redoc@latest/bundles/redoc.standalone.js 'sha256-Ri7Dq6kn4d1SzxucogauP62ISolkcXZOaUT8I/xEVGg=' 'sha256-J8pGp/Y6gm05ag6P7dPEm65mUl5R2czgNxQwp+oKbgY='"
CSP_FONT_SRC = "'self' data: https://fonts.gstatic.com"
CSP_OBJECT_SRC = "'none'"
CSP_REPORT_ONLY = config("CSP_REPORT_ONLY", default=False, cast=bool)
Expand Down

0 comments on commit 6e5af6e

Please sign in to comment.