SAML2 Login fails with CSP in chrome based browsers

[torstenwerner]

I have checked out the branch 5.8.x, started

./gradlew :servlet:spring-boot:java:saml2:login:bootRun

and opened http://localhost:8080/ . It redirects to http://localhost:8080/saml2/authenticate/one but this page fails with this error message

Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

in the javascript console of chromium based browsers. The form submit does not work. The CSP (Content Security Policy) is inlined in the HTML of the page as a <meta> element.

It works in firefox. But that would exclude a majority of users.

If it is possible to turn off the inline CSP I would be happy to use it as a quick workaround.

[torstenwerner]

The CSP rule unsafe-hashes seems to be missing in chromium based browsers. But the better solution would be to move the javascript into a separate javascript file.

https://content-security-policy.com/unsafe-hashes/

[marcusdacoregio]

Hi @torstenwerner, thank you for the report.

I think this problem is related not only to the sample but to this new feature #11631. I'll transfer this issue to the Spring Security project

[marcusdacoregio]

Instead of adding the unsafe-* to the CSP in order to allow inline HTML event handlers (which is not recommended), we could add:

<script>window.onload = () => document.forms[0].submit();</script>

And then recompute the hash for this javascript and add in the meta-tag.