Disable CSP for frames (#1138)

1491ad45 · Yadd · e6c457bf · 1491ad45 · 1491ad45 · 1491ad45
Commit 1491ad45 authored Jan 20, 2017 by Yadd
8 changed files
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
@@ -1223,6 +1223,7 @@ sub checkSession {
        'debug' );

    # TODO: access_control_allow_origin => '*'
+    $req->frame(1);
    return $self->p->sendHtml(
        $req,
        '../common/oidc_checksession',

--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm
@@ -1382,6 +1382,7 @@ sub sloRelayPost {

    # Delete relay session
    $relayInfos->remove();
+    $req->frame(1);
    return $self->p->do( $req, ['autoPost'] );
 }

@@ -1409,6 +1410,10 @@ sub sloServer {
    # Ignore signature verification
    $self->disableSignatureVerification($logout);

+    # Disable Content-Security-Policy header since logout can be embedded in
+    # a frame
+    $req->frame(1);
+
    if ($request) {

        # Process logout request

--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Request.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Request.pm
@@ -53,6 +53,9 @@ has urlNotBase64 => ( is => 'rw' );
 # Menu error
 has menuError => ( is => 'rw' );

+# Frame flag (used by Run to not send Content-Security-Policy header)
+has frame => ( is => 'rw' );
+
 # Error type
 sub error_type {
    my $req = shift;

--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
@@ -634,16 +634,16 @@ sub _dump {

 sub sendHtml {
    my ( $self, $req, $template, %args ) = @_;
-    my $csp = $self->csp . "form-action 'self'";
    push @{ $req->respHeaders },
      'X-XSS-Protection'       => '1; mode=block',
      'X-Content-Type-Options' => 'nosniff';
-    my $url = $args{params}->{URL};
-    if ( $url and $url =~ s#https?://([^/]+).*#$1# ) {
-        $csp .= " $url";
-    }
-    $csp .= ';';
-    unless ( $self->conf->{portalAntiFrame} == 0 ) {
+    unless ( $req->frame or $self->conf->{portalAntiFrame} == 0 ) {
+        my $csp = $self->csp . "form-action 'self'";
+        my $url = $args{params}->{URL};
+        if ( $url and $url =~ s#https?://([^/]+).*#$1# ) {
+            $csp .= " $url";
+        }
+        $csp .= ';';
        my @url;
        if ( $req->info ) {
            @url = map { s#https?://([^/]+).*#$1#; $_ }
@@ -656,8 +656,8 @@ sub sendHtml {
            push @{ $req->respHeaders }, 'X-Frame-Options' => 'DENY';
            $csp .= "frame-ancestors 'none';";
        }
+        push @{ $req->respHeaders }, 'Content-Security-Policy' => $csp;
    }
-    push @{ $req->respHeaders }, 'Content-Security-Policy' => $csp;

    return $self->SUPER::sendHtml( $req, $template, %args );
 }

--- a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST-IdP-initiated.t
+++ b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST-IdP-initiated.t
@@ -7,7 +7,7 @@ BEGIN {
    require 't/test-lib.pm';
 }

-my $maintests = 15;
+my $maintests = 16;
 my $debug     = 'error';
 my ( $issuer, $sp, $res );
 my %handlerOR = ( issuer => [], sp => [] );
@@ -95,7 +95,7 @@ m#iframe src="http://auth.idp.com(/saml/relaySingleLogoutPOST)\?(relay=.*?)"#s,
    ok(
        getHeader( $res, 'Content-Security-Policy' ) =~
          /frame-ancestors auth.idp.com/,
-        'Frame is authorizated'
+        ' Frame is authorizated'
      )
      or explain( $res->[1],
        'Content-Security-Policy => ...frame-ancestors auth.idp.com' );
@@ -109,6 +109,8 @@ m#iframe src="http://auth.idp.com(/saml/relaySingleLogoutPOST)\?(relay=.*?)"#s,
        ),
        'Get iframe'
    );
+    ok( !defined getHeader( $res, 'Content-Security-Policy' ),
+        ' No CSP header' );
    ( $host, $url, $query ) =
      expectAutoPost( $res, 'auth.sp.com', '/saml/proxySingleLogout',
        'SAMLRequest' );

--- a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect-IdP-initiated.t
+++ b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect-IdP-initiated.t
@@ -7,7 +7,7 @@ BEGIN {
    require 't/test-lib.pm';
 }

-my $maintests = 16;
+my $maintests = 17;
 my $debug     = 'error';
 my ( $issuer, $sp, $res );
 my %handlerOR = ( issuer => [], sp => [] );
@@ -121,6 +121,8 @@ m#iframe src="http://auth.sp.com(/saml/proxySingleLogout)\?(SAMLRequest=.*?)"#,
    ok( $res = $issuer->_get( $url, query => $query, accept => 'text/html' ),
        'Push SAML response to IdP' );
    expectOK($res);
+    ok( !defined getHeader( $res, 'Content-Security-Policy' ),
+        ' No CSP header' );

    # Test if logout is done
    switch ('issuer');

--- a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS.t
+++ b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS.t
@@ -7,7 +7,7 @@ BEGIN {
    require 't/test-lib.pm';
 }

-my $maintests = 13;
+my $maintests = 14;
 my $debug     = 'error';
 my ( $issuer, $sp, $res );
 my %handlerOR = ( issuer => [], sp => [] );
@@ -124,6 +124,8 @@ SKIP: {
        'Get iframe from IdP'
    );
    expectOK($res);
+    ok( !defined getHeader( $res, 'Content-Security-Policy' ),
+        ' No CSP header' );

    # Verify that user has been disconnected
    ok( $res = $issuer->_get( '/', cookie => "lemonldap=$idpId" ),

--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
+++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
@@ -86,6 +86,8 @@ ok(
 );
 count(1);
 expectOK($res);
+ok( !defined getHeader( $res, 'Content-Security-Policy' ), ' No CSP header' );
+count(1);

 # Logout initiated by RP
 switch ('rp');