Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spring Security SAML2 - AuthN Request POST Binding requires CSP Header unsafe-inline scripts #11472

Closed
mmoussa-mapfre opened this issue Jul 7, 2022 · 4 comments
Closed

Spring Security SAML2 - AuthN Request POST Binding requires CSP Header unsafe-inline scripts #11472

mmoussa-mapfre opened this issue Jul 7, 2022 · 4 comments
Assignees
@jzheaux
Labels
in: saml2 An issue in SAML2 modules status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: enhancement A general enhancement

Comments

@mmoussa-mapfre
Copy link
Contributor

Expected Behavior

When using the Content Security Policy (CSP) header and doing a SAML2 AuthN Request POST Binding, add support for 'self' or nonce or hash instead of forcing unsafe-inline.

Current Behavior

When doing AuthN Requests with the SAML2 POST Binding, Spring Security creates HTML with an onload script to submit the SAML request Saml2WebSsoAuthenticationRequestFilter.createSamlPostRequestFormData(). In order for that onload script to work when using a CSP Header, I have to include script-src 'unsafe-inline'.
@mmoussa-mapfre mmoussa-mapfre added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Jul 7, 2022
@jzheaux
Copy link
Contributor

jzheaux commented Jul 7, 2022

Duplicate of #9529

@jzheaux jzheaux marked this as a duplicate of #9529 Jul 7, 2022
@jzheaux jzheaux closed this as completed Jul 7, 2022
@jzheaux jzheaux added status: duplicate A duplicate of another issue in: saml2 An issue in SAML2 modules and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 7, 2022
@jzheaux jzheaux self-assigned this Jul 7, 2022
@jzheaux
Copy link
Contributor

jzheaux commented Jul 11, 2022

Based on #9529 (comment), there may be a simpler way to address this issue than asking applications to create a custom page. As such, I'm reopening this issue for further consideration.

@jzheaux jzheaux reopened this Jul 11, 2022
@jzheaux jzheaux added status: ideal-for-contribution An issue that we actively are looking for someone to help us with and removed status: duplicate A duplicate of another issue labels Jul 11, 2022
@marcusdacoregio
Copy link
Contributor

marcusdacoregio commented Sep 1, 2022
edited
Loading

I believe this is now fixed via #11631?

@mmoussa-mapfre
Copy link
Contributor Author

Yes, it appears like #11631 allows CSP header to be used with AuthN POST Binding. I am closing this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: saml2 An issue in SAML2 modules status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jzheaux @marcusdacoregio @mmoussa-mapfre