From 6e5af6e8320818e75f26ac2bba38f55de35b820c Mon Sep 17 00:00:00 2001
From: Edward Louth <edward@louths.com>
Date: Mon, 11 Dec 2023 18:43:04 +0000
Subject: [PATCH] Fix for swagger unsafe inline

---
 grai-server/app/templates/swagger-ui.html  | 48 ++++++++++++----------
 grai-server/app/the_guide/settings/base.py |  2 +-
 2 files changed, 27 insertions(+), 23 deletions(-)

diff --git a/grai-server/app/templates/swagger-ui.html b/grai-server/app/templates/swagger-ui.html
index b27dd4e4a..27837c993 100755
--- a/grai-server/app/templates/swagger-ui.html
+++ b/grai-server/app/templates/swagger-ui.html
@@ -1,31 +1,35 @@
 <!DOCTYPE html>
 <html>
-
-<head>
+  <head>
     <title>Swagger</title>
-    <meta charset="utf-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1">
-    <link rel="stylesheet" type="text/css" href="https://unpkg.com/swagger-ui-dist@3/swagger-ui.css">
-</head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <link
+      rel="stylesheet"
+      type="text/css"
+      href="https://unpkg.com/swagger-ui-dist@3/swagger-ui.css"
+    />
+    <meta id="csrftoken" name="csrftoken" content="{csrftoken}" />
+  </head>
 
-<body>
+  <body>
     <div id="swagger-ui"></div>
     <script src="https://unpkg.com/swagger-ui-dist@3/swagger-ui-bundle.js"></script>
     <script>
-        const ui = SwaggerUIBundle({
-            url: "{% url 'schema' %}",
-            dom_id: '#swagger-ui',
-            presets: [
-                SwaggerUIBundle.presets.apis,
-                SwaggerUIBundle.SwaggerUIStandalonePreset
-            ],
-            layout: "BaseLayout",
-            requestInterceptor: (request) => {
-                request.headers['X-CSRFToken'] = "{{ csrf_token }}"
-                return request;
-            }
-        })
+      const ui = SwaggerUIBundle({
+        url: "{% url 'schema' %}",
+        dom_id: "#swagger-ui",
+        presets: [
+          SwaggerUIBundle.presets.apis,
+          SwaggerUIBundle.SwaggerUIStandalonePreset,
+        ],
+        layout: "BaseLayout",
+        requestInterceptor: (request) => {
+          request.headers["X-CSRFToken"] =
+            document.getElementById("csrftoken").innerHTML;
+          return request;
+        },
+      });
     </script>
-</body>
-
+  </body>
 </html>
diff --git a/grai-server/app/the_guide/settings/base.py b/grai-server/app/the_guide/settings/base.py
index 76807dc52..009b2a833 100755
--- a/grai-server/app/the_guide/settings/base.py
+++ b/grai-server/app/the_guide/settings/base.py
@@ -438,7 +438,7 @@ def inner(value: str | bool) -> bool:
 # Content Security Policy
 CSP_IMG_SRC = "'self' data: https://cdn.redoc.ly"
 CSP_STYLE_SRC = "'self' 'unsafe-inline' https://unpkg.com https://fonts.googleapis.com"
-CSP_SCRIPT_SRC = "'self' 'unsafe-inline' blob: https://unpkg.com https://cdn.jsdelivr.net/npm/redoc@latest/bundles/redoc.standalone.js"
+CSP_SCRIPT_SRC = "'self' blob: https://unpkg.com https://cdn.jsdelivr.net/npm/redoc@latest/bundles/redoc.standalone.js 'sha256-Ri7Dq6kn4d1SzxucogauP62ISolkcXZOaUT8I/xEVGg=' 'sha256-J8pGp/Y6gm05ag6P7dPEm65mUl5R2czgNxQwp+oKbgY='"
 CSP_FONT_SRC = "'self' data: https://fonts.gstatic.com"
 CSP_OBJECT_SRC = "'none'"
 CSP_REPORT_ONLY = config("CSP_REPORT_ONLY", default=False, cast=bool)