Version >= 1.6 makes CSP more annoying

[ghost]

Is your feature request related to a problem? Please describe.

• Starting with Springdoc OpenAPI 1.6.0, there are two new parameters added do the last <script> tag added in the swagger index.html. One of them is the parameter "configUrl", which is dynamic depending on the application. Up until Springdoc OpenAPI 1.5.13 this was not included and resulted in a standardized CSP script-hash for all Applications on one server with Springdoc's swagger index.html. With this change, every swagger index.html needs their own CSP script-hash

Before:

<script>
    window.onload = function() {
      // Begin Swagger UI call region
      const ui = SwaggerUIBundle({
        url: "https://petstore.swagger.io/v2/swagger.json",
        dom_id: '#swagger-ui',
        deepLinking: true,
        presets: [
          SwaggerUIBundle.presets.apis,
          SwaggerUIStandalonePreset
        ],
        plugins: [
          SwaggerUIBundle.plugins.DownloadUrl
        ],
        layout: "StandaloneLayout"
      });
      // End Swagger UI call region

      window.ui = ui;
    };
  </script>

After:

<script>
    window.onload = function() {
      // Begin Swagger UI call region
      const ui = SwaggerUIBundle({
        url: "https://petstore.swagger.io/v2/swagger.json",
        dom_id: '#swagger-ui',
        deepLinking: true,
        presets: [
          SwaggerUIBundle.presets.apis,
          SwaggerUIStandalonePreset
        ],
        plugins: [
          SwaggerUIBundle.plugins.DownloadUrl
        ],
        layout: "StandaloneLayout" ,

  "configUrl" : "/<applicationContextRoot>/v3/api-docs/swagger-config",
  "validatorUrl" : ""

      });
      // End Swagger UI call region

      window.ui = ui;
    };
  </script>

Describe the solution you'd like

• Not sure if its possible, but I would prefer for this configUrl parameter to be removed again or for the inline-script to be able to be offloaded into another file, so I dont have to define the CSP for it. (I'm aware that this is an issue of swagger-ui in the first place though, but maybe I just need some more detailed explanation on why this started with 1.6.0)

[ghost]

It would be nice if we could just set the parameter "url" to "/v3/api-docs".

I've tried fiddling around with the "springdoc.swagger-ui.*" parameters, but the url parameters seem to only affect the "/v3/api-docs/swagger-config"

[OmarHawk]

Ideally there is no inline script part at all so that there is no need to include or modify anything here to be able to set a secure CSP.

[bnasslahsen]

Since v1.6.0, query params are disabled by default. You can read the CHANGELOG for more details.
See security advisory before enabling this feature.

If you want the legacy mode, you can still enable it using springdoc.swagger-ui.queryConfigEnabled=true