Mixed content issues due to XHR over HTTP made from HTTPS page

[dalbani]

If the schemes parameter is configured (and not empty) for an API, Swagger UI picks the first [1] [2] scheme value up for API requests.
For example:

{
    "swagger": "2.0",
    "schemes": [
        "http",
        "https"
    ]
}

As a consequence, all requests will be made over HTTP.

This cause "mixed content issues" when Swagger UI is served/hosted via HTTPS and yet makes regular HTTP requests, as explained above.

[1] https://github.com/swagger-api/swagger-js/blob/master/lib/client.js#L274
[2] https://github.com/swagger-api/swagger-js/blob/master/lib/client.js#L290

[ponelat]

@dalbani I think this is a bug, because there does seem to be a check on window.location (to see if we need to use https)... https://github.com/swagger-api/swagger-js/blob/master/lib/client.js#L272

Do you have a failing case? If you have the time, please feel free to create a Pull Request. Otherwise, we can put this in the backlog (to investigate and fix).

[dalbani]

Indeed, it's in swagger-js that lies the problem (as shown in the 2 links I provided in the bug report).
But I wasn't sure what was the most appropriate place for the fix.
I mean, is swagger-js supposed to have to anything to do with browser-related window.location stuff?
Maybe passing some kind of hint (e.g. rather use HTTPS than HTTP) would be more logical?

[ponelat]

well... we could put https above http in the spec (hackish 😉)
Since swagger-js does http requests, it can know about window.location. And since the only problem I can envision is when ...

a browser on HTTPS requesting HTTP.
Would we need to hint which schema to use? Any other use cases?

[dalbani]

Since swagger-js does http requests, it can know about window.location.

Well, I couldn't find a single reference to the browser-specific window or document variables in swagger-js source code.
And this is fine with me, because you can't assume that the JS runtime will always be a browser.
Therefore my idea of some kind of hint passed by the caller (Swagger UI).

[fehguy]

Yes, we cannot rely on window to be an object since swagger-js is used in node & browser-less environments.

There are two options on this that come to mind.

First, always prefer requests over https. This is probably the easiest to implement and least controversial.

Second, allow swagger-ui to pass a hint as to which to use. That the index.html can use the window object to get the protocol.

So, I suspect that choosing https when both http, https are available is probably the right choice. But you can certainly have a method which requires http even if the top-level allows http, https. That will trigger the same error.

[dalbani]

Indeed, preferring HTTPS over HTTP is the simplest solution. But are we sure that HTTPS is supported in all environments where swagger-js is running? I suppose so, I'm kind of thinking out loud :-)

And what about ws vs wss? How do Swagger UI handles WebSocket at the moment by the way?
If an API is defined with "schemes": [ "http", "https", "ws", "wss" ], how should this be globally handled by Swagger UI/JS?

[IanRogers-LShift]

We're deploying java using swagger annotations into Amazon AWS - https is terminated by the AWS load-balancer and the server is running in http. So swagger.json has "schemes" : [ "http" ], even though the browser is in https...

So IMHO the UI should default to whatever scheme it used to get the swagger.json file. This can be passed in as an (optional) parameter to swagger-js.

[fehguy]

Well, that would be ignoring the spec, which isn't a good idea. If you're deploying the schemes to something else, consider either leaving it off (it's optional) or setting the scheme in javascript like such:

window.swaggerUi.api.setSchemes(['https'])

Which will override the spec value.

[IanRogers-LShift]

well, I want to use the packaged UI (from https://github.com/smoketurner/dropwizard-swagger in fact) and the simplest java annotations.

I guess I want to force the java annotations to set no scheme at all so the UI is forced to use the one it knows about... But a lot of people are going to be bitten by this.

[IanRogers-LShift]

swagger-api/swagger-js#665 only checks the ui hint if the scheme setting is empty. I guess this is the way it's going to be.

[fehguy]

Yes, that's my suggestion, just leave the schemes empty