Fix Content-Security-Policy if hash is included in script-src (#404)

prauscher · web-flow · commit 632a0d956f05 · 2024-05-02T12:45:28.000+02:00
* replace unsafe-inline with nonce for autosubmit

* add note to docs about nonce

* bump version

* add check for nonce
diff --git a/djangosaml2/templates/djangosaml2/post_binding_form.html b/djangosaml2/templates/djangosaml2/post_binding_form.html
@@ -0,0 +1,15 @@
+<script type="text/javascript"{% if request.csp_nonce %} nonce="{{ request.csp_nonce }}"{% endif %}>
+	window.onload = function() {
+		document.SSO_Login.submit();
+	};
+</script>
+<p>
+You're being redirected to a SSO login page.
+Please click the button below if you're not redirected automatically within a few seconds.
+</p>
+<form method="post" action="{{ target_url }}" name="SSO_Login">
+	{% for key, value in params.items %}
+	    <input type="hidden" name="{{ key }}" value="{{ value }}" />
+	{% endfor %}
+    <input type="submit" value="Log in" />
+</form>
diff --git a/djangosaml2/utils.py b/djangosaml2/utils.py
@@ -257,6 +257,6 @@ def _django_csp_update_decorator():
         )
         return
     else:
-        # script-src 'unsafe-inline' to autosubmit forms,
+        # autosubmit of forms uses nonce per default
         # form-action https: to send data to IdPs
-        return csp_update(SCRIPT_SRC=["'unsafe-inline'"], FORM_ACTION=["https:"])
+        return csp_update(FORM_ACTION=["https:"])
diff --git a/docs/source/contents/security.md b/docs/source/contents/security.md
@@ -34,6 +34,11 @@ guides: djangosaml2 will automatically blend in and update the headers for
 POST-bindings, so you must not include exceptions for djangosaml2 in your
 global configuration.
 
+Note that to enable autosubmit of post-bindings inline-javascript is used. To
+allow execution of this autosubmit-code a nonce is included, which works in
+default configuration but may not work if you modify `CSP_INCLUDE_NONCE_IN`
+to exclude `script-src`.
+
 You can specify a custom CSP handler via the `SAML_CSP_HANDLER` setting and the
 warning can be disabled by setting `SAML_CSP_HANDLER=''`. See the 
 [djangosaml2](https://djangosaml2.readthedocs.io/) documentation for more 
diff --git a/setup.py b/setup.py
@@ -27,7 +27,7 @@ def read(*rnames):
 
 setup(
     name="djangosaml2",
-    version="1.9.2",
+    version="1.9.3",
     description="pysaml2 integration for Django",
     long_description=read("README.md"),
     long_description_content_type="text/markdown",

Original file line number	Diff line number	Diff line change
`@@ -257,6 +257,6 @@ def _django_csp_update_decorator():`
`257`	`257`	`)`
`258`	`258`	`return`
`259`	`259`	`else:`
`260`		`- # script-src 'unsafe-inline' to autosubmit forms,`
	`260`	`+ # autosubmit of forms uses nonce per default`
`261`	`261`	`# form-action https: to send data to IdPs`
`262`		`- return csp_update(SCRIPT_SRC=["'unsafe-inline'"], FORM_ACTION=["https:"])`
	`262`	`+ return csp_update(FORM_ACTION=["https:"])`