feat(oauth2-redirect): externalize inline script for CSP compliance (#10559)

davidanrod · web-flow · commit 35eb10306c76 · 2025-09-09T12:09:10.000+02:00
diff --git a/dev-helpers/oauth2-redirect.html b/dev-helpers/oauth2-redirect.html
@@ -3,74 +3,4 @@
 <body>
 </body>
 </html>
-<script>
-    'use strict';
-    function run () {
-        var oauth2 = window.opener.swaggerUIRedirectOauth2;
-        var sentState = oauth2.state;
-        var redirectUrl = oauth2.redirectUrl;
-        var isValid, qp, arr;
-
-        if (/code|token|error/.test(window.location.hash)) {
-            qp = window.location.hash.substring(1).replace('?', '&');
-        } else {
-            qp = location.search.substring(1);
-        }
-
-        arr = qp.split("&")
-        arr.forEach(function (v,i,_arr) { _arr[i] = '"' + v.replace('=', '":"') + '"';})
-        qp = qp ? JSON.parse('{' + arr.join() + '}',
-                function (key, value) {
-                    return key === "" ? value : decodeURIComponent(value)
-                }
-        ) : {}
-
-        isValid = qp.state === sentState
-
-        if ((
-          oauth2.auth.schema.get("flow") === "accessCode" ||
-          oauth2.auth.schema.get("flow") === "authorizationCode" ||
-          oauth2.auth.schema.get("flow") === "authorization_code"
-        ) && !oauth2.auth.code) {
-            if (!isValid) {
-                oauth2.errCb({
-                    authId: oauth2.auth.name,
-                    source: "auth",
-                    level: "warning",
-                    message: "Authorization may be unsafe, passed state was changed in server Passed state wasn't returned from auth server"
-                });
-            }
-
-            if (qp.code) {
-                delete oauth2.state;
-                oauth2.auth.code = qp.code;
-                oauth2.callback({auth: oauth2.auth, redirectUrl: redirectUrl});
-            } else {
-                let oauthErrorMsg
-                if (qp.error) {
-                    oauthErrorMsg = "["+qp.error+"]: " +
-                        (qp.error_description ? qp.error_description+ ". " : "no accessCode received from the server. ") +
-                        (qp.error_uri ? "More info: "+qp.error_uri : "");
-                }
-
-                oauth2.errCb({
-                    authId: oauth2.auth.name,
-                    source: "auth",
-                    level: "error",
-                    message: oauthErrorMsg || "[Authorization failed]: no accessCode received from the server"
-                });
-            }
-        } else {
-            oauth2.callback({auth: oauth2.auth, token: qp, isValid: isValid, redirectUrl: redirectUrl});
-        }
-        window.close();
-    }
-
-    if( document.readyState !== 'loading' ) {
-      run();
-    } else {
-      document.addEventListener('DOMContentLoaded', function () {
-        run();
-      });
-    }
-</script>
+<script src="oauth2-redirect.js"></script>
diff --git a/dev-helpers/oauth2-redirect.js b/dev-helpers/oauth2-redirect.js
@@ -0,0 +1,69 @@
+"use strict"
+function run () {
+    var oauth2 = window.opener.swaggerUIRedirectOauth2
+    var sentState = oauth2.state
+    var redirectUrl = oauth2.redirectUrl
+    var isValid, qp, arr
+
+    if (/code|token|error/.test(window.location.hash)) {
+        qp = window.location.hash.substring(1).replace("?", "&")
+    } else {
+        qp = location.search.substring(1)
+    }
+
+    arr = qp.split("&")
+    arr.forEach(function (v,i,_arr) { _arr[i] = '"' + v.replace("=", '":"') + '"' })
+    qp = qp ? JSON.parse("{" + arr.join() + "}",
+            function (key, value) {
+                return key === "" ? value : decodeURIComponent(value)
+            }
+    ) : {}
+
+    isValid = qp.state === sentState
+
+    if ((
+        oauth2.auth.schema.get("flow") === "accessCode" ||
+        oauth2.auth.schema.get("flow") === "authorizationCode" ||
+        oauth2.auth.schema.get("flow") === "authorization_code"
+    ) && !oauth2.auth.code) {
+        if (!isValid) {
+            oauth2.errCb({
+                authId: oauth2.auth.name,
+                source: "auth",
+                level: "warning",
+                message: "Authorization may be unsafe, passed state was changed in server Passed state wasn't returned from auth server"
+            })
+        }
+
+        if (qp.code) {
+            delete oauth2.state
+            oauth2.auth.code = qp.code
+            oauth2.callback({auth: oauth2.auth, redirectUrl: redirectUrl})
+        } else {
+            let oauthErrorMsg
+            if (qp.error) {
+                oauthErrorMsg = "["+qp.error+"]: " +
+                    (qp.error_description ? qp.error_description+ ". " : "no accessCode received from the server. ") +
+                    (qp.error_uri ? "More info: "+qp.error_uri : "")
+            }
+
+            oauth2.errCb({
+                authId: oauth2.auth.name,
+                source: "auth",
+                level: "error",
+                message: oauthErrorMsg || "[Authorization failed]: no accessCode received from the server"
+            })
+        }
+    } else {
+        oauth2.callback({auth: oauth2.auth, token: qp, isValid: isValid, redirectUrl: redirectUrl})
+    }
+    window.close()
+}
+
+if( document.readyState !== "loading" ) {
+    run()
+} else {
+    document.addEventListener("DOMContentLoaded", function () {
+    run()
+    })
+}
