CSP script-src breaks SAML functionality in 6.3.X?

[Michael Daniel Seymour]

Hi all,

I believe enabling the script-src Content Security Policy in Apache will break SAML.

https://content-security-policy.com/script-src/

"The execution of all JS event handlers from inline HTML markup are blocked default, onclick, onload, onmouseover, onsubmit, etc. You can get them to work via a 'unsafe-hashes' source list expression, however that is only supported on CSP Level 3 browsers."

The callback from CAS through to the SAML SP fails because it contains some of these handlers. I have yet to try it, but possibly the unsafe-hashes policy could be used. But, it is not the safe or recommended way. They recommend refactoring the offending code.

Page loaded from https://cas.server.com/idp/profile/SAML2/Callback?entityId=ENTITYID&ticket=TICKET

<!DOCTYPE html>
<html>
    <head>
        <meta charset="utf-8" />
    </head>
    <body onload="document.forms[0].submit()">
        <noscript>
            <p>
                <strong>Note:</strong> Since your browser does not support JavaScript,
                you must press the Continue button once to proceed.
            </p>
        </noscript>
        
        <form action="https&#x3a;&#x2f;&#x2f;saml.sp.com&#x2f;Saml&#x2f;SSO" method="post">
            <div>
<input type="hidden" name="RelayState" value="RELAYSTATE;"/>                
                
<input type="hidden" name="SAMLResponse" value="SAMLRESPONSE"/>                
            </div>
            <noscript>
                <div>
                    <input type="submit" value="Continue"/>
                </div>
            </noscript>
        </form>
    </body>
</html>

[King, Robert]

In case anyone runs into this situation, the solution was to enable “unsafe-hashes” and add the hash for the inline script.

 

An example Apache directive:

 

<IfModule mod_headers.c>

  Header set Content-Security-Policy: “script-src ‘unsafe-hashes’ ‘self’ ‘sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='”

</IfModule mod_headers.c>

 

Where the SHA256 hash is for the inline script “document.forms[0].submit()”.

 

 

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/40ab7a36-8f57-41b0-afb1-ce790d9df43an%40apereo.org.

[Andy Ng]

Dear all,

An alternative method would be to modify the saml2-post-binding.vm file directly:

In your cas project, add:
cas\src\main\resources\templates\saml2-post-binding.vm

And add hash / add nonce / do whatever you want to the file to satisfied CSP

For the actual content of saml2-post-binding.vm, you need to find it in shibboleth, or an unoffical reference would be here: https://github.com/zeigeist/opensaml/blob/master/saml/src/main/resources/templates/saml2-post-binding.vm

Cheers!

Andy