Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Content-Security-Policy if hash is included in script-src #404

Merged
merged 4 commits into from
May 2, 2024
Merged

Fix Content-Security-Policy if hash is included in script-src #404

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e2d2c20
replace unsafe-inline with nonce for autosubmit
prauscher Apr 30, 2024
bd63d19
add note to docs about nonce
prauscher Apr 30, 2024
58f8b61
bump version
prauscher Apr 30, 2024
ff9ded1
add check for nonce
prauscher Apr 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions djangosaml2/templates/djangosaml2/post_binding_form.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
<script type="text/javascript"{% if request.csp_nonce %} nonce="{{ request.csp_nonce }}"{% endif %}>
window.onload = function() {
document.SSO_Login.submit();
};
</script>
<p>
You're being redirected to a SSO login page.
Please click the button below if you're not redirected automatically within a few seconds.
</p>
<form method="post" action="{{ target_url }}" name="SSO_Login">
{% for key, value in params.items %}
<input type="hidden" name="{{ key }}" value="{{ value }}" />
{% endfor %}
<input type="submit" value="Log in" />
</form>
4 changes: 2 additions & 2 deletions djangosaml2/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,6 @@ def _django_csp_update_decorator():
)
return
else:
# script-src 'unsafe-inline' to autosubmit forms,
# autosubmit of forms uses nonce per default
# form-action https: to send data to IdPs
return csp_update(SCRIPT_SRC=["'unsafe-inline'"], FORM_ACTION=["https:"])
return csp_update(FORM_ACTION=["https:"])
5 changes: 5 additions & 0 deletions docs/source/contents/security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,11 @@ guides: djangosaml2 will automatically blend in and update the headers for
POST-bindings, so you must not include exceptions for djangosaml2 in your
global configuration.

Note that to enable autosubmit of post-bindings inline-javascript is used. To
allow execution of this autosubmit-code a nonce is included, which works in
default configuration but may not work if you modify `CSP_INCLUDE_NONCE_IN`
to exclude `script-src`.

You can specify a custom CSP handler via the `SAML_CSP_HANDLER` setting and the
warning can be disabled by setting `SAML_CSP_HANDLER=''`. See the
[djangosaml2](https://djangosaml2.readthedocs.io/) documentation for more
Expand Down
2 changes: 1 addition & 1 deletion setup.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ def read(*rnames):

setup(
name="djangosaml2",
version="1.9.2",
version="1.9.3",
description="pysaml2 integration for Django",
long_description=read("README.md"),
long_description_content_type="text/markdown",
Expand Down
Loading