- redoc CPS issue (#1930)

hiteshghuge · hghuge · web-flow · commit 9904c6212048 · 2025-04-29T12:33:24.000+05:30
Co-authored-by: hghuge &lt;hghuge@digite.com&gt;
diff --git a/kairon/actions/server.py b/kairon/actions/server.py
@@ -1,5 +1,6 @@
 from loguru import logger as logging
 from time import time
+import copy
 
 from fastapi import FastAPI
 from fastapi import Request, status
@@ -131,6 +132,13 @@ async def add_secure_headers(request: Request, call_next):
     response.headers["Access-Control-Allow-Origin"] = (
         requested_origin if requested_origin is not None else allowed_origins[0]
     )
+    if request.url.path == "/redoc":
+        custom_csp = copy.deepcopy(csp)
+        custom_csp.worker_src("blob:")
+        secure_headers.csp = custom_csp
+        secure_headers.framework.fastapi(response)
+        secure_headers.csp = csp
+
     return response
 
 
diff --git a/kairon/api/app/main.py b/kairon/api/app/main.py
@@ -1,3 +1,4 @@
+import copy
 from fastapi import FastAPI, Request
 from fastapi.exceptions import RequestValidationError
 from fastapi.middleware.cors import CORSMiddleware
@@ -98,6 +99,12 @@ async def add_secure_headers(request: Request, call_next):
     response.headers['Cross-Origin-Resource-Policy'] = 'same-origin'
     requested_origin = request.headers.get("origin")
     response.headers["Access-Control-Allow-Origin"] = requested_origin if requested_origin is not None else allowed_origins[0]
+    if request.url.path == "/redoc":
+        custom_csp = copy.deepcopy(csp)
+        custom_csp.worker_src("blob:")
+        secure_headers.csp = custom_csp
+        secure_headers.framework.fastapi(response)
+        secure_headers.csp = csp
     return response
 
 
diff --git a/kairon/chat/server.py b/kairon/chat/server.py
@@ -1,4 +1,5 @@
 from time import time
+import copy
 
 from fastapi import FastAPI, Request
 from fastapi.exceptions import RequestValidationError
@@ -107,6 +108,12 @@ async def add_secure_headers(request: Request, call_next):
     logger.info(
         f"request path={request.url.path} completed_in={formatted_process_time}ms status_code={response.status_code}"
     )
+    if request.url.path == "/redoc":
+        custom_csp = copy.deepcopy(csp)
+        custom_csp.worker_src("blob:")
+        secure_headers.csp = custom_csp
+        secure_headers.framework.fastapi(response)
+        secure_headers.csp = csp
     return response
 
 
diff --git a/kairon/events/server.py b/kairon/events/server.py
@@ -1,3 +1,4 @@
+import copy
 from typing import Text
 
 from fastapi import FastAPI, Request, Path, Query
@@ -86,6 +87,12 @@ async def add_secure_headers(request: Request, call_next):
     response.headers["Access-Control-Allow-Origin"] = requested_origin if requested_origin else allowed_origins[0]
     response.headers['Cross-Origin-Resource-Policy'] = 'same-origin'
     response.headers['Content-Type'] = 'application/json'
+    if request.url.path == "/redoc":
+        custom_csp = copy.deepcopy(csp)
+        custom_csp.worker_src("blob:")
+        secure_headers.csp = custom_csp
+        secure_headers.framework.fastapi(response)
+        secure_headers.csp = csp
     return response
 
 
diff --git a/tests/integration_test/services_test.py b/tests/integration_test/services_test.py
@@ -30574,3 +30574,28 @@ def test_leave_non_existent_bot_1():
     assert actual["message"] == "Access to bot is denied"
     assert actual["error_code"] == 422
     assert not actual["success"]
+
+
+
+def test_redoc_headers():
+    response = client.get("/redoc")
+    assert response.status_code == 200
+    assert response.headers == {
+        "content-length": "498",
+        "content-type": "text/html; charset=utf-8",
+        "content-encoding": "gzip",
+        "vary": "Accept-Encoding",
+        "server": "Secure",
+        "strict-transport-security": "includeSubDomains; preload; max-age=31536000",
+        "x-frame-options": "SAMEORIGIN",
+        "x-xss-protection": "0",
+        "x-content-type-options": "nosniff",
+        "content-security-policy": "default-src 'self'; frame-ancestors 'self'; form-action 'self'; base-uri 'self'; connect-src 'self'; frame-src 'self'; style-src 'self' https: 'unsafe-inline'; img-src 'self' https:; script-src 'self' https: 'unsafe-inline'; worker-src blob:",
+        "referrer-policy": "no-referrer",
+        "cache-control": "must-revalidate",
+        "permissions-policy": "accelerometer=(), autoplay=(), camera=(), document-domain=(), encrypted-media=(), fullscreen=(), vibrate=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), sync-xhr=(), usb=()",
+        "cross-origin-embedder-policy": "require-corp",
+        "cross-origin-opener-policy": "same-origin",
+        "cross-origin-resource-policy": "same-origin",
+        "access-control-allow-origin": "*"
+    }
