Move Swagger UI inline script to index.js

Remove unsafe-inline CSP from previous commit
2 months ago · d697a99bac
4 changed files with 33 additions and 24 deletions
--- a/ansible/roles/nginx_site_config/templates/tildes.conf.jinja2
+++ b/ansible/roles/nginx_site_config/templates/tildes.conf.jinja2
@ -18,9 +18,6 @@ map $request_uri $csp_header {
    # The CSP for the Stripe donation page:
    # - "https://js.stripe.com" in script-src and frame-src is needed for Stripe
    "~^/donate_stripe$" "default-src 'none'; script-src 'self' https://js.stripe.com; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; frame-src 'self' https://js.stripe.com; form-action 'self'; frame-ancestors 'none'; base-uri 'none'";
-    # The CSP for the API explorer Swagger UI:
-    # - "unsafe-inline" in script-src is needed for the script in the template index.html
-    "~^/api/beta/ui$" "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; form-action 'self'; frame-ancestors 'none'; base-uri 'none'";
 }

 server {
--- a/ansible/roles/swagger_ui/files/index.html
+++ b/ansible/roles/swagger_ui/files/index.html
@ -11,26 +11,6 @@
    <div id="swagger-ui"></div>
    <script src="/swagger-ui/swagger-ui-bundle.js" charset="UTF-8"> </script>
    <script src="/swagger-ui/swagger-ui-standalone-preset.js" charset="UTF-8"> </script>
-    <script${nonce_attr}>
-        window.onload = function() {
-            const uiConfig = ${ui_config};
-            Object.assign(uiConfig, {
-                presets: [
-                    SwaggerUIBundle.presets.apis,
-                    SwaggerUIStandalonePreset,
-                ],
-                plugins: [
-                    SwaggerUIBundle.plugins.DownloadUrl,
-                ],
-            });
-            const oauthConfig = ${oauth_config};
-            // Build a system
-            const ui = SwaggerUIBundle(uiConfig);
-            if (oauthConfig) {
-                ui.initOAuth(oauthConfig);
-            }
-            window.ui = ui;
-        }
-    </script>
+    <script src="/swagger-ui/index.js" charset="UTF-8"> </script>
  </body>
 </html>
--- a/ansible/roles/swagger_ui/files/index.js
+++ b/ansible/roles/swagger_ui/files/index.js
@ -0,0 +1,26 @@
+window.onload = function() {
+    const uiConfig = {
+        "url": "/api/beta/openapi.yaml",
+        "dom_id": "#swagger-ui",
+        "deepLinking": true,
+        "validatorUrl": null,
+        "layout": "StandaloneLayout",
+        "oauth2RedirectUrl": "/api/beta/ui/oauth2-redirect"
+    };
+    Object.assign(uiConfig, {
+        presets: [
+            SwaggerUIBundle.presets.apis,
+            SwaggerUIStandalonePreset,
+        ],
+        plugins: [
+            SwaggerUIBundle.plugins.DownloadUrl,
+        ],
+    });
+    const oauthConfig = null;
+    // Build a system
+    const ui = SwaggerUIBundle(uiConfig);
+    if (oauthConfig) {
+        ui.initOAuth(oauthConfig);
+    }
+    window.ui = ui;
+}
--- a/ansible/roles/swagger_ui/tasks/main.yml
+++ b/ansible/roles/swagger_ui/tasks/main.yml
@ -22,3 +22,9 @@
        owner: "{{ app_username }}"
        group: "{{ app_username }}"
        mode: 0644
+    - copy:
+        src: "index.js"
+        dest: "{{ app_dir }}/static/swagger-ui/index.js"
+        owner: "{{ app_username }}"
+        group: "{{ app_username }}"
+        mode: 0644