Dear all, An alternative method would be to modify the saml2-post-binding.vm file directly:
In your cas project, add: cas\src\main\resources\templates\saml2-post-binding.vm And add hash / add nonce / do whatever you want to the file to satisfied CSP For the actual content of saml2-post-binding.vm, you need to find it in shibboleth, or an unoffical reference would be here: https://github.com/zeigeist/opensaml/blob/master/saml/src/main/resources/templates/saml2-post-binding.vm Cheers! Andy On Tuesday, 14 September 2021 at 19:39:38 UTC+8 ro...@mun.ca wrote: > In case anyone runs into this situation, the solution was to enable > “unsafe-hashes” and add the hash for the inline script. > > > > An example Apache directive: > > > > <IfModule mod_headers.c> > > Header set Content-Security-Policy: “script-src ‘unsafe-hashes’ ‘self’ > ‘sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='” > > </IfModule mod_headers.c> > > > > Where the SHA256 hash is for the inline script > “document.forms[0].submit()”. > > > > > > *From:* cas-...@apereo.org <cas-...@apereo.org> *On Behalf Of *Michael > Daniel Seymour > *Sent:* Friday, September 3, 2021 12:49 PM > *To:* CAS Community <cas-...@apereo.org> > *Subject:* [EXTERNAL SENDER] [cas-user] CSP script-src breaks SAML > functionality in 6.3.X? > > > > Hi all, > > > > I believe enabling the *script-src* Content Security Policy in Apache > will break SAML. > > > > https://content-security-policy.com/script-src/ > > > > "The execution of all JS event handlers from inline HTML markup are > blocked default, onclick, onload, onmouseover, onsubmit, etc. You can get > them to work via a 'unsafe-hashes' source list expression, however that is > only supported on CSP Level 3 browsers." > > > > The callback from CAS through to the SAML SP fails because it contains > some of these handlers. I have yet to try it, but possibly the > *unsafe-hashes* policy could be used. But, it is not the safe or > recommended way. They recommend refactoring the offending code. > > Page loaded from > https://cas.server.com/idp/profile/SAML2/Callback?entityId=ENTITYID&ticket=TICKET > > > > > <!DOCTYPE html> > <html> > <head> > <meta charset="utf-8" /> > </head> > <body onload="document.forms[0].submit()"> > <noscript> > <p> > <strong>Note:</strong> Since your browser does not support > JavaScript, > you must press the Continue button once to proceed. > </p> > </noscript> > > <form action="https://saml.sp.com/Saml/SSO" > method="post"> > <div> > <input type="hidden" name="RelayState" value="RELAYSTATE;"/> > > > <input type="hidden" name="SAMLResponse" > value="SAMLRESPONSE"/> > </div> > <noscript> > <div> > <input type="submit" value="Continue"/> > </div> > </noscript> > </form> > </body> > </html> > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+u...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/40ab7a36-8f57-41b0-afb1-ce790d9df43an%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/40ab7a36-8f57-41b0-afb1-ce790d9df43an%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/04592907-14cb-4300-867d-9aba1273f8c7n%40apereo.org.
