-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix CSP-Uses where hash-values are already specified for script-src #403
Comments
Ciao @prauscher the PR number 401 is now merged. I'd go for another PR and in addition to this I would appreciate if you could also advance the version of the release in the file setup.py We'll produce a new release after the next PR about this CSP |
Thanks for the fast feedback, I opted for number 2, so see #404 :) |
Just to keep it noted here: #404 is now merged, but only solves this issue for login-requests by providing a post binding form which uses the nonce. The same would be required for logout, but currently djangosaml2 does not use a post binding template for logout, but recycles the html received from pysaml2. So if you are using hashes in your script-src-option of csp and use logout with post bindings, you will still have the problem of To fix this properly, djangosaml2 would require a overhaul to use own templates during logout too. In the meantime, you could probably use a |
@prauscher is there actionable to resolve this issue? |
I would leave this issue open to document the problem: During POST-Logout, djangosaml2 does not specify its own template but instead relies on the template specified by pysaml2. As this only affects logout, it is probably not too much of an issue. To be fixed, one would need to copy the templating-logic of login-pages to logout-pages and provide a matching template (could probably be copied too). |
Hello,
I just figured out that using
csp_update
can result in a problem: If you (for some reason) specified a hash in the global CSP-Configuration for script-src, the introduced'unsafe-inline'
gets ignored. There are two possible options in my mind:csp_replace
instead ofcsp_update
to ignore the CSP-Header specified by the integrating project. Would be a quick fix, but does not feel too good imho.PySAML2
: https://github.com/IdentityPython/pysaml2/blob/7cb4f09dce87a7e8098b9c7552ebab8bc77bc896/src/saml2/pack.py#L38Imho the best solution would be to include a default
post_binding_form.html
which uses a nonce. This would also remove the required'unsafe-inline'
from CSP-Settings. What are your feelings regarding this? And should this be a new PR or shall it be integrated to #401? My suggestion would be to include it in #401 iff option 1 would be selected, but a separate if option 2 would be selected.The text was updated successfully, but these errors were encountered: