Fix request-specific Swagger UI index transformations#3279
Open
limehee wants to merge 1 commit intospringdoc:spring-boot-4from
Open
Fix request-specific Swagger UI index transformations#3279limehee wants to merge 1 commit intospringdoc:spring-boot-4from
limehee wants to merge 1 commit intospringdoc:spring-boot-4from
Conversation
limehee
force-pushed
the
fix-swagger-index-nonce-cache
branch
from
dc6bce2 to
49b90bc
Compare
Swagger UI index.html can be customized through SwaggerIndexTransformer, including CSP nonce injection, but cached resource handlers stored the first transformed index resource and reused it for later requests. Register index.html with the uncached Swagger UI handler patterns, matching swagger-initializer.js behavior, while retaining resource resolution caching.
limehee
force-pushed
the
fix-swagger-index-nonce-cache
branch
from
49b90bc to
4720f6d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #3264
Summary
This PR makes
swagger-ui/index.htmluse the uncached Swagger UI resource handler so request-specificSwaggerIndexTransformerchanges are not reused across requests.This keeps
index.htmlaligned withswagger-initializer.js, which already uses an uncached handler.Background
The regression appears to come from
cc1a4e58c(Abstract shared Swagger configurer logic). That change introduced shared Swagger resource handler configuration and split Swagger UI resources into:swagger-initializer.jsThat works for static assets, but
index.htmlis also passed throughSwaggerIndexTransformer. If an application customizes the index page with request-specific data, such as a CSP nonce, the first transformedindex.htmlresponse can be cached and reused for later requests.For CSP, this is incorrect because the nonce must be generated per request.
Changes
Constants.INDEX_PAGE_PATTERNas/*index.html.index.htmlpatterns with the existing uncached resource handler path./swagger-ui/index.htmltwice with different request nonce values and verifies that the second response does not reuse the first nonce.Verification
mvn -f springdoc-openapi-starter-common/pom.xml -DskipTests installmvn -f springdoc-openapi-starter-webmvc-ui/pom.xml -Dtest=SpringDocApp40Test,SpringDocApp42Test testNote
CI on
spring-boot-4currently also requires #3280, which aligns thespringdoc-openapi-testsparent versions with the branch snapshot. This PR intentionally keeps only the Swagger UI index transformation fix.