fix: send request from editor#313
Conversation
![redocly[bot]](https://avatars.githubusercontent.com/in/348054?s=60&v=4){kind=small}
There was a problem hiding this comment.
marketing-site AI Review: 🟢 Completed
Reunite Bot has reviewed your changes and found 2 potential issue(s).
Note
Low Risk
This is a minor and targeted change to the Content Security Policy (CSP) that allows client-side requests to Redocly subdomains. It carries minimal operational or security risk, as it permits connections to a known and trusted service without altering core application logic.
Overview
Updates the connect-src CSP directive in redocly.yaml to include https://*.redocly.com. This change unblocks cross-origin requests to Redocly services (e.g., cors.redocly.com), enabling the editor to successfully send requests.
| base-uri 'self'; | ||
| connect-src | ||
| 'self' | ||
| https://*.redocly.com |
There was a problem hiding this comment.
The wildcard *.redocly.com is overly broad. Since the PR objective is to unblock cors.redocly.com, restrict it to that specific subdomain to follow the principle of least privilege and reduce exfiltration risks.
There was a problem hiding this comment.
Don't see problem to open all our subdomains here.
| base-uri 'self'; | ||
| connect-src | ||
| 'self' | ||
| https://*.redocly.com |
There was a problem hiding this comment.
This change in the global ** section likely won't fix the editor issue. The /editor path has its own CSP policy (line 281) which will continue to block requests to cors.redocly.com.
2 participants
What/Why/How?
Updated CSP policy for unblock request to cors.redocly.com
Reference
Testing
Screenshots (optional)
Check yourself
Security