Commit 1491ad45 authored by Xavier Guimard's avatar Xavier Guimard

Disable CSP for frames (#1138)

parent e6c457bf
......@@ -1223,6 +1223,7 @@ sub checkSession {
'debug' );
# TODO: access_control_allow_origin => '*'
$req->frame(1);
return $self->p->sendHtml(
$req,
'../common/oidc_checksession',
......
......@@ -1382,6 +1382,7 @@ sub sloRelayPost {
# Delete relay session
$relayInfos->remove();
$req->frame(1);
return $self->p->do( $req, ['autoPost'] );
}
......@@ -1409,6 +1410,10 @@ sub sloServer {
# Ignore signature verification
$self->disableSignatureVerification($logout);
# Disable Content-Security-Policy header since logout can be embedded in
# a frame
$req->frame(1);
if ($request) {
# Process logout request
......
......@@ -53,6 +53,9 @@ has urlNotBase64 => ( is => 'rw' );
# Menu error
has menuError => ( is => 'rw' );
# Frame flag (used by Run to not send Content-Security-Policy header)
has frame => ( is => 'rw' );
# Error type
sub error_type {
my $req = shift;
......
......@@ -634,16 +634,16 @@ sub _dump {
sub sendHtml {
my ( $self, $req, $template, %args ) = @_;
my $csp = $self->csp . "form-action 'self'";
push @{ $req->respHeaders },
'X-XSS-Protection' => '1; mode=block',
'X-Content-Type-Options' => 'nosniff';
my $url = $args{params}->{URL};
if ( $url and $url =~ s#https?://([^/]+).*#$1# ) {
$csp .= " $url";
}
$csp .= ';';
unless ( $self->conf->{portalAntiFrame} == 0 ) {
unless ( $req->frame or $self->conf->{portalAntiFrame} == 0 ) {
my $csp = $self->csp . "form-action 'self'";
my $url = $args{params}->{URL};
if ( $url and $url =~ s#https?://([^/]+).*#$1# ) {
$csp .= " $url";
}
$csp .= ';';
my @url;
if ( $req->info ) {
@url = map { s#https?://([^/]+).*#$1#; $_ }
......@@ -656,8 +656,8 @@ sub sendHtml {
push @{ $req->respHeaders }, 'X-Frame-Options' => 'DENY';
$csp .= "frame-ancestors 'none';";
}
push @{ $req->respHeaders }, 'Content-Security-Policy' => $csp;
}
push @{ $req->respHeaders }, 'Content-Security-Policy' => $csp;
return $self->SUPER::sendHtml( $req, $template, %args );
}
......
......@@ -7,7 +7,7 @@ BEGIN {
require 't/test-lib.pm';
}
my $maintests = 15;
my $maintests = 16;
my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
......@@ -95,7 +95,7 @@ m#iframe src="http://auth.idp.com(/saml/relaySingleLogoutPOST)\?(relay=.*?)"#s,
ok(
getHeader( $res, 'Content-Security-Policy' ) =~
/frame-ancestors auth.idp.com/,
'Frame is authorizated'
' Frame is authorizated'
)
or explain( $res->[1],
'Content-Security-Policy => ...frame-ancestors auth.idp.com' );
......@@ -109,6 +109,8 @@ m#iframe src="http://auth.idp.com(/saml/relaySingleLogoutPOST)\?(relay=.*?)"#s,
),
'Get iframe'
);
ok( !defined getHeader( $res, 'Content-Security-Policy' ),
' No CSP header' );
( $host, $url, $query ) =
expectAutoPost( $res, 'auth.sp.com', '/saml/proxySingleLogout',
'SAMLRequest' );
......
......@@ -7,7 +7,7 @@ BEGIN {
require 't/test-lib.pm';
}
my $maintests = 16;
my $maintests = 17;
my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
......@@ -121,6 +121,8 @@ m#iframe src="http://auth.sp.com(/saml/proxySingleLogout)\?(SAMLRequest=.*?)"#,
ok( $res = $issuer->_get( $url, query => $query, accept => 'text/html' ),
'Push SAML response to IdP' );
expectOK($res);
ok( !defined getHeader( $res, 'Content-Security-Policy' ),
' No CSP header' );
# Test if logout is done
switch ('issuer');
......
......@@ -7,7 +7,7 @@ BEGIN {
require 't/test-lib.pm';
}
my $maintests = 13;
my $maintests = 14;
my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
......@@ -124,6 +124,8 @@ SKIP: {
'Get iframe from IdP'
);
expectOK($res);
ok( !defined getHeader( $res, 'Content-Security-Policy' ),
' No CSP header' );
# Verify that user has been disconnected
ok( $res = $issuer->_get( '/', cookie => "lemonldap=$idpId" ),
......
......@@ -86,6 +86,8 @@ ok(
);
count(1);
expectOK($res);
ok( !defined getHeader( $res, 'Content-Security-Policy' ), ' No CSP header' );
count(1);
# Logout initiated by RP
switch ('rp');
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment