Dear all, An alternative method would be to modify the saml2-post-binding.vm file directly:
In your cas project, add: cas\src\main\resources\templates\saml2-post-binding.vm And add hash / add nonce / do whatever you want to the file to satisfied CSP For the actual content of saml2-post-binding.vm, you need to find it in shibboleth, or an unoffical reference would be here: https://github.com/zeigeist/opensaml/blob/master/saml/src/main/resources/templates/saml2-post-binding.vm Cheers! Andy On Tuesday, 14 September 2021 at 19:39:38 UTC+8 [email protected] wrote: > In case anyone runs into this situation, the solution was to enable > “unsafe-hashes” and add the hash for the inline script. > > > > An example Apache directive: > > > > <IfModule mod_headers.c> > > Header set Content-Security-Policy: “script-src ‘unsafe-hashes’ ‘self’ > ‘sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='” > > </IfModule mod_headers.c> > > > > Where the SHA256 hash is for the inline script > “document.forms[0].submit()”. > > > > > > *From:* [email protected] <[email protected]> *On Behalf Of *Michael > Daniel Seymour > *Sent:* Friday, September 3, 2021 12:49 PM > *To:* CAS Community <[email protected]> > *Subject:* [EXTERNAL SENDER] [cas-user] CSP script-src breaks SAML > functionality in 6.3.X? > > > > Hi all, > > > > I believe enabling the *script-src* Content Security Policy in Apache > will break SAML. > > > > https://content-security-policy.com/script-src/ > > > > "The execution of all JS event handlers from inline HTML markup are > blocked default, onclick, onload, onmouseover, onsubmit, etc. You can get > them to work via a 'unsafe-hashes' source list expression, however that is > only supported on CSP Level 3 browsers." > > > > The callback from CAS through to the SAML SP fails because it contains > some of these handlers. I have yet to try it, but possibly the > *unsafe-hashes* policy could be used. But, it is not the safe or > recommended way. They recommend refactoring the offending code. > > Page loaded from > https://cas.server.com/idp/profile/SAML2/Callback?entityId=ENTITYID&ticket=TICKET > > > > > <!DOCTYPE html> > <html> > <head> > <meta charset="utf-8" /> > </head> > <body onload="document.forms[0].submit()"> > <noscript> > <p> > <strong>Note:</strong> Since your browser does not support > JavaScript, > you must press the Continue button once to proceed. > </p> > </noscript> > > <form action="https://saml.sp.com/Saml/SSO" > method="post"> > <div> > <input type="hidden" name="RelayState" value="RELAYSTATE;"/> > > > <input type="hidden" name="SAMLResponse" > value="SAMLRESPONSE"/> > </div> > <noscript> > <div> > <input type="submit" value="Continue"/> > </div> > </noscript> > </form> > </body> > </html> > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/40ab7a36-8f57-41b0-afb1-ce790d9df43an%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/40ab7a36-8f57-41b0-afb1-ce790d9df43an%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/04592907-14cb-4300-867d-9aba1273f8c7n%40apereo.org.
