From d3eb263a3b4b62a64c8cd9140d7b41ab66ae9baa Mon Sep 17 00:00:00 2001 From: ftsell Date: Sun, 14 Jan 2024 19:50:31 +0100 Subject: [PATCH] set Cross-Origin-Opener-Policy on Swagger-UI view This is required because Swagger-UI uses `window.opener` references to communicate to itself when doing OAuth authentication. Djangos default COOP however blocks these references so that swagger cannot correctly pass its authentication state between windows. --- drf_spectacular/views.py | 3 +++ tests/test_view.py | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/drf_spectacular/views.py b/drf_spectacular/views.py index ac599c79..593dead6 100644 --- a/drf_spectacular/views.py +++ b/drf_spectacular/views.py @@ -146,6 +146,9 @@ def get(self, request, *args, **kwargs): 'schema_auth_names': self._dump(self._get_schema_auth_names()), }, template_name=self.template_name, + headers={ + "Cross-Origin-Opener-Policy": "unsafe-none", + } ) def _dump(self, data): diff --git a/tests/test_view.py b/tests/test_view.py index b900cbd5..9f3af9c2 100644 --- a/tests/test_view.py +++ b/tests/test_view.py @@ -150,6 +150,13 @@ def test_spectacular_ui_with_raw_settings(no_warnings): assert b'const swaggerSettings = {"deepLinking": true};\n' in response.content +@pytest.mark.urls(__name__) +def test_spectacular_ui_coop(): + response = APIClient().get('/api/v2/schema/swagger-ui/') + assert response.status_code == 200 + assert response["Cross-Origin-Opener-Policy"] == "unsafe-none" + + @pytest.mark.urls(__name__) def test_spectacular_ui_param_passthrough(no_warnings): response = APIClient().get('/api/v2/schema/swagger-ui/?foo=bar&lang=jp&version=v2')