Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Content-Security-Policy if hash is included in script-src #404

Merged
merged 4 commits into from
May 2, 2024
Merged

Fix Content-Security-Policy if hash is included in script-src #404

merged 4 commits into from
May 2, 2024

Conversation

prauscher
Copy link
Contributor

See #403 for the problem. This PR addresses option 2, so a default post-binding-template is specified which includes a nonce. We also bump the version on request of @peppelinux

@prauscher prauscher mentioned this pull request Apr 30, 2024
Open
@prauscher prauscher changed the title Fix Content-Security-Policy if hash is included in script-src Draft: Fix Content-Security-Policy if hash is included in script-src Apr 30, 2024
@prauscher
Copy link
Contributor Author

Just realized that Logout would have a similar problem, so i'll probably add another template

@peppelinux
Copy link
Member

Just realized that Logout would have a similar problem, so i'll probably add another template

Please create a base template that should be inherited by login and logout sub templates

@prauscher
Copy link
Contributor Author

I looked into it found that djangosaml2 currently takes its html for logout with post binding directly from pysaml2. Changing this would require quite some changes in djangosaml2 which are probably not worth the efford for now. My suggestion would be to create a new issue to document the problem and merge this PR - do you agree, @peppelinux ?

@prauscher prauscher changed the title Draft: Fix Content-Security-Policy if hash is included in script-src Fix Content-Security-Policy if hash is included in script-src Apr 30, 2024
@prauscher prauscher requested a review from peppelinux May 1, 2024 09:10
@peppelinux peppelinux merged commit 632a0d9 into IdentityPython:master May 2, 2024
16 checks passed
@tinyx
Copy link

tinyx commented Jul 23, 2024

This is minor, but I would like to point out that the PySAML template had all the visible elements wrapped with a <noscript> so the user will not notice anything but a blank page.

With this change though, they will see the un-styled text and button, which again, is minor, but could be a surprise from a patch update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peppelinux peppelinux Awaiting requested review from peppelinux

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@prauscher @peppelinux @tinyx