Fix CSP-Uses where hash-values are already specified for script-src #403
Comments
|
Ciao @prauscher the PR number 401 is now merged. I'd go for another PR and in addition to this I would appreciate if you could also advance the version of the release in the file setup.py We'll produce a new release after the next PR about this CSP |
|
Thanks for the fast feedback, I opted for number 2, so see #404 :) |
|
Just to keep it noted here: #404 is now merged, but only solves this issue for login-requests by providing a post binding form which uses the nonce. The same would be required for logout, but currently djangosaml2 does not use a post binding template for logout, but recycles the html received from pysaml2. So if you are using hashes in your script-src-option of csp and use logout with post bindings, you will still have the problem of To fix this properly, djangosaml2 would require a overhaul to use own templates during logout too. In the meantime, you could probably use a |
Hello,
I just figured out that using
csp_updatecan result in a problem: If you (for some reason) specified a hash in the global CSP-Configuration for script-src, the introduced'unsafe-inline'gets ignored. There are two possible options in my mind:csp_replaceinstead ofcsp_updateto ignore the CSP-Header specified by the integrating project. Would be a quick fix, but does not feel too good imho.PySAML2: https://github.com/IdentityPython/pysaml2/blob/7cb4f09dce87a7e8098b9c7552ebab8bc77bc896/src/saml2/pack.py#L38Imho the best solution would be to include a default
post_binding_form.htmlwhich uses a nonce. This would also remove the required'unsafe-inline'from CSP-Settings. What are your feelings regarding this? And should this be a new PR or shall it be integrated to #401? My suggestion would be to include it in #401 iff option 1 would be selected, but a separate if option 2 would be selected.The text was updated successfully, but these errors were encountered: