Online API Documentation refuses to show source

Question

Online API Documentation refuses to show source

faxm0dem opened this issue 4 years ago · 9 comments

When clicking on "View Source" on the API docs we get this:

Blocked by Content Security Policy

Answer 1 · 2020-04-24T14:41:28.000Z

@aphyr controls the host and I suspect will need to make some changes to server headers.

Answer 2 · 2020-04-24T14:48:32.000Z

Huh, this is all github hosted... wonder if they changed an origin CSP or something.

Answer 3 · 2020-04-24T14:49:17.000Z

Ahhhh, it's mad because we try to frame it from the riemann.io domain. Hmmmmmm.

Answer 4 · 2020-04-24T14:49:29.000Z

Oh. Yeah GH pages. No coffee yeah.

Answer 5 · 2020-04-24T14:51:26.000Z

Hmm. Both pages are hosted by github pages on riemann.io, so... you'd think same-origin would be OK. Browser security models have changed so much since I was last up on this stuff. Lemme google around...

Answer 6 · 2020-04-24T14:57:20.000Z

Yeah, it doesn't look like we get any control over the content security policy at the repo level. As a quick fix, we could replace the frame with a regular old link--users wouldn't get the top nav bar any more, but that's not the end of the world. Another option would be to do some sort of HTML rewriting as a build step when CODOX gets built. Or we could move riemann.io to its own server somewhere?

Answer 7 · 2020-04-24T14:59:04.000Z

Possssibly we could work around this with a <meta http-equiv="Content-Security-Policy" content="...">? I'm not sure what takes precedence...

Answer 8 · 2020-04-27T00:00:08.000Z

Unfortunately, frame-ancestors isn't supported in meta tags. :(

Answer 9 · 2020-05-02T09:57:58.000Z

IMHO a simple link to the gh source would be a lesser evil and good compromise for work involved/functionality

The web sucks in 2020 doesn't it?