Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP headers break schema #68

Closed
Coperh opened this issue Sep 10, 2024 · 4 comments · Fixed by #69, open-zaak/open-zaak#1772, maykinmedia/objecttypes-api#131, maykinmedia/objects-api#458 or open-zaak/open-notificaties#190
Closed

CSP headers break schema #68

Coperh opened this issue Sep 10, 2024 · 4 comments · Fixed by #69, open-zaak/open-zaak#1772, maykinmedia/objecttypes-api#131, maykinmedia/objects-api#458 or open-zaak/open-notificaties#190
Assignees
@Coperh
Labels
bug Something isn't working owner: amsterdam

Comments

@Coperh
Copy link
Contributor

Coperh commented Sep 10, 2024
edited
Loading

Product versie / Product version

0.8.0

Omschrijf het probleem / Describe the bug

CSP headers prevent schema from loading external scripts

Reported here, maykinmedia/open-klant#242/

Confirmed in OpenZaak 1.14

Stappen om te reproduceren / Steps to reproduce

  1. Go to open-klant /contactgegevens/api/v1/schema/

Verwacht gedrag / Expected behavior

Page should loader correctly
@Coperh Coperh added the bug Something isn't working label Sep 10, 2024
@Coperh Coperh self-assigned this Sep 10, 2024
@Coperh
Copy link
Contributor Author

Coperh commented Sep 10, 2024
edited
Loading

Three potential fixes:

Exclude the schema URLs. This is the quick way but does need to include all component URLs since they are "prefixes"

# for open klant
CSP_EXCLUDE_URL_PREFIXES += (
    "/contactgegevens/api/v1/schema/",
    "/klantinteracties/api/v1/schema/"
)

Allow sources for SCP

# used for DRF Spectacular
CSP_FONT_SRC = ("'self'", "fonts.gstatic.com")
CSP_WORKER_SRC = ("'self'", "blob:")

CSP_DEFAULT_SRC += ["'unsafe-inline'"] # Open zaak might want this anyway
CSP_IMG_SRC += ["cdn.redoc.ly", "data:"]
CSP_SCRIPT_SRC += ["cdn.jsdelivr.net"]
CSP_STYLE_SRC += ["fonts.googleapis.com"]

Also might be extra per project source e.g. OZ wants the vng github

The more proper way might be to install drf-spectacular-sidecar https://drf-spectacular.readthedocs.io/en/latest/faq.html#my-swagger-ui-and-or-redoc-page-is-blank

@Coperh Coperh changed the title CSP headers break scheme CSP headers break schema Sep 10, 2024
@Coperh
Copy link
Contributor Author

Coperh commented Sep 10, 2024

See https://test.openzaak.nl/zaken/api/v1/schema/

@Coperh Coperh added the triage Triage means the team has not yet refined this issue. label Sep 10, 2024
@alextreme alextreme mentioned this issue Sep 10, 2024
Open
@alextreme
Copy link
Member

Looking at drf-spectacular-sidecar, this seems to me to be the proper route. If you don't need externally hosted scripts served via a CDN then setting CSP headers site-wide becomes a lot easier. This combined with the move from yasg to spectacular for OZ means that this should work for all components.

As an aside, Sergei pointed out that /admin was also excluded in CSP_EXCLUDE_URL_PREFIXES. This shouldn't be the case (the whole reason why we added CSP to OAf was for /admin.

open-api-framework/open_api_framework/conf/base.py

Line 1042 in 9ef90bb

"/admin/",

Coperh added a commit that referenced this issue Sep 13, 2024
@Coperh
🐛[#68] add CSP headers for DRF spectacular schema
c3eb2f4
@Coperh Coperh mentioned this issue Sep 13, 2024
Merged
Coperh added a commit that referenced this issue Sep 13, 2024
@Coperh
🐛[#68] add CSP headers for DRF spectacular schema
5416f2b
Coperh added a commit that referenced this issue Sep 13, 2024
@Coperh
🐛[#68] add CSP headers for DRF spectacular schema
e63465a
Coperh added a commit that referenced this issue Sep 13, 2024
@Coperh
🐛[#68] add CSP headers for DRF spectacular schema
74d7e26
Coperh added a commit that referenced this issue Sep 13, 2024
@Coperh
🐛[#68] add CSP headers for DRF spectacular schema
471daf6
@Coperh Coperh mentioned this issue Sep 13, 2024
Merged
Coperh added a commit to open-zaak/open-zaak that referenced this issue Sep 13, 2024
@Coperh
🐛[maykinmedia/open-api-framework#68] fix drf spectacular schema CSP e…
7b78ee0 
…rrors
@joeribekker joeribekker added owner: maykin owner: amsterdam and removed triage Triage means the team has not yet refined this issue. owner: maykin labels Sep 17, 2024
@joeribekker
Copy link
Member

Refinement:,Will be fixed in all components.

Coperh added a commit that referenced this issue Sep 17, 2024
@Coperh
🐛[#68] add CSP headers for DRF spectacular schema
157bc99
Coperh added a commit that referenced this issue Sep 20, 2024
@Coperh
♻️[#68] move unsafe-inline source
9fef862
Coperh added a commit that referenced this issue Sep 20, 2024
@Coperh
♻️[#68] move unsafe-inline source
91abb7a
Coperh added a commit that referenced this issue Sep 25, 2024
@Coperh
✨[#68] remove CDN links
45bef6b
Coperh added a commit to open-zaak/open-zaak that referenced this issue Sep 25, 2024
@Coperh
🐛[maykinmedia/open-api-framework#68] fix drf spectacular schema CSP e…
02864af 
…rrors
Coperh added a commit that referenced this issue Sep 25, 2024
@Coperh
Merge pull request #69 from maykinmedia/feature/68-CSP-for-drf-specta…
2be05e6 
…cular

🐛[#68] add CSP headers for DRF spectacular schema
@Coperh Coperh mentioned this issue Sep 27, 2024
Merged
Coperh added a commit to maykinmedia/open-klant that referenced this issue Sep 27, 2024
@Coperh
🔧[maykinmedia/open-api-framework#68] fix CSP errors
e047c40
@Coperh Coperh mentioned this issue Sep 27, 2024
Merged
Coperh added a commit to maykinmedia/objecttypes-api that referenced this issue Sep 27, 2024
@Coperh
🔧[maykinmedia/open-api-framework#68] fix CSP errors
4858e7e
Coperh added a commit to maykinmedia/open-klant that referenced this issue Sep 27, 2024
@Coperh
🔧[maykinmedia/open-api-framework#68] fix CSP errors
40f6ff7
Coperh added a commit to maykinmedia/referentielijsten that referenced this issue Sep 27, 2024
@Coperh
🔧[maykinmedia/open-api-framework#68] fix CSP errors
0787e71
Coperh added a commit to maykinmedia/objects-api that referenced this issue Sep 27, 2024
@Coperh
🔧[maykinmedia/open-api-framework#68] fix CSP errors
c15efcc
Coperh added a commit to open-zaak/open-zaak that referenced this issue Sep 27, 2024
@Coperh
Merge pull request #1772 from open-zaak/feature/oaf68-csp-drf-spectac…
f5f447e 
…ular-fix

🔧[maykinmedia/open-api-framework#68] fix CSP errors
@github-project-automation github-project-automation bot moved this from Implemented to Done in Data en API fundament Sep 27, 2024
@Coperh Coperh reopened this Sep 27, 2024
@github-project-automation github-project-automation bot moved this from Done to In Progress in Data en API fundament Sep 27, 2024
Coperh added a commit to maykinmedia/objects-api that referenced this issue Oct 1, 2024
@Coperh
Merge pull request #458 from maykinmedia/feature/oaf-68-csp-errors
5f55721 
🔧[maykinmedia/open-api-framework#68] fix CSP errors
@github-project-automation github-project-automation bot moved this from Implemented to Done in Data en API fundament Oct 1, 2024
@Coperh Coperh reopened this Oct 1, 2024
@github-project-automation github-project-automation bot moved this from Done to In Progress in Data en API fundament Oct 1, 2024
@annashamray annashamray mentioned this issue Oct 1, 2024
Closed
6 tasks
Coperh added a commit to maykinmedia/open-klant that referenced this issue Oct 1, 2024
@Coperh
🔧[maykinmedia/open-api-framework#68] fix CSP errors
f18c0b0
Coperh added a commit to open-zaak/open-notificaties that referenced this issue Oct 1, 2024
@Coperh
Merge pull request #190 from open-zaak/feature/oaf-68-csp-errors
7299417 
🔧[maykinmedia/open-api-framework#68] fix CSP errors
@github-project-automation github-project-automation bot moved this from Implemented to Done in Data en API fundament Oct 1, 2024
Coperh added a commit to maykinmedia/referentielijsten that referenced this issue Oct 1, 2024
@Coperh
Merge pull request #31 from maykinmedia/feature/oaf-68-csp-errors
170b29e 
🔧[maykinmedia/open-api-framework#68] fix CSP errors
@Coperh Coperh reopened this Oct 1, 2024
@github-project-automation github-project-automation bot moved this from Done to In Progress in Data en API fundament Oct 1, 2024
annashamray pushed a commit to maykinmedia/objects-api that referenced this issue Oct 1, 2024
@Coperh @annashamray
🔧[maykinmedia/open-api-framework#68] fix CSP errors
61ea522
annashamray pushed a commit to maykinmedia/objects-api that referenced this issue Oct 1, 2024
@Coperh @annashamray
🔧[maykinmedia/open-api-framework#68] fix CSP errors
d1c4f9b
Coperh added a commit to maykinmedia/open-klant that referenced this issue Oct 3, 2024
@Coperh
Merge pull request #255 from maykinmedia/feature/oaf-68-csp-errors
2795089 
🔧[maykinmedia/open-api-framework#68] fix CSP errors
@github-project-automation github-project-automation bot moved this from Implemented to Done in Data en API fundament Oct 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Coperh Coperh

Labels
bug Something isn't working owner: amsterdam
Projects
Data en API fundament
Status: Done
Milestone
No milestone
3 participants
@joeribekker @alextreme @Coperh