fix: relax CSP for /docs page — allow unsafe-eval for Swagger UI 5.x (ajv)
All checks were successful
Build & Deploy to Staging / Build & Deploy to Staging (push) Successful in 8m41s
All checks were successful
Build & Deploy to Staging / Build & Deploy to Staging (push) Successful in 8m41s
Swagger UI 5.x uses new Function() via ajv for JSON schema validation. Helmet default CSP (script-src self) blocks this in Firefox, causing TypeError: NetworkError when attempting to fetch resource on Try It. Override CSP on /docs route to allow unsafe-eval.
This commit is contained in:
OpenClaw Deployer
parent
a996c76c11
commit
a45d7704ab
3 changed files with 24 additions and 6 deletions
|
|
@ -199,6 +199,11 @@ app.use(express.static(path.join(__dirname, "../public"), {
|
|||
|
||||
// Docs page (clean URL)
|
||||
app.get("/docs", (_req, res) => {
|
||||
// Swagger UI 5.x uses new Function() (via ajv) for JSON schema validation.
|
||||
// Override helmet's default CSP to allow 'unsafe-eval' + blob: for Swagger UI.
|
||||
res.setHeader("Content-Security-Policy",
|
||||
"default-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' https: 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' https: data:;connect-src 'self';worker-src 'self' blob:;base-uri 'self';form-action 'self';frame-ancestors 'self';object-src 'none'"
|
||||
);
|
||||
res.setHeader('Cache-Control', 'public, max-age=86400');
|
||||
res.sendFile(path.join(__dirname, "../public/docs.html"));
|
||||
});
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue