Lots of Content Security Policy errors about express-openapi HOT 5 CLOSED

I was able to solve the issues by including a middleware that adds the appropriate CSP policies for the OAPI docs routes.

I'm not sure if the CSP for these pages needs to be too strict, so I left it pretty lax. Obviously it could be configured to be more specific to the resource type.

const openapiCSP = (req, res, next) => {
  res.set({ 'Content-Security-Policy': "default-src * 'self' 'unsafe-inline' 'unsafe-eval' blob: data:"});
  next();
};
app.use('/api/redoc', openapiCSP, openapi.redoc);
app.use('/api/swaggerui', openapiCSP, openapi.swaggerui);

This might be something worth adding into the library itself though.

from express-openapi.

Hm, I actually would prefer those libraries to handle that, since it is entirely in their domain of control. Could it be that we are outdated and need to update those packages? If that is the case an update PR would be most welcome.

from express-openapi.

Im not so familiar with the libraries being used, but I agree with trying to implement this at the highest level. Would those libraries support setting CSP policies though? Seems like something that needs to be handled at the server level.

It looks like the swagger-parser package is pretty far behind (as well as a couple others)

How would an update PR work? Are there autmated tests?

from express-openapi.

There are automated tests, so you would just make a branch, then run npm update swagger-parser --latest and commit the changes in package.json. Submit that as a PR. Even with automated tests, I typically will also run them locally to do a manual check before publishing. I also typically fire up a server and check the UI if there are changes to those packages which provide the UI.

from express-openapi.

Closing this in favor of the new PR.

from express-openapi.