From e2d2c2092962792704791624ca7fc535171e4aa4 Mon Sep 17 00:00:00 2001 From: Patrick Rauscher Date: Tue, 30 Apr 2024 11:04:40 +0200 Subject: [PATCH 1/4] replace unsafe-inline with nonce for autosubmit --- .../templates/djangosaml2/post_binding_form.html | 15 +++++++++++++++ djangosaml2/utils.py | 4 ++-- 2 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 djangosaml2/templates/djangosaml2/post_binding_form.html diff --git a/djangosaml2/templates/djangosaml2/post_binding_form.html b/djangosaml2/templates/djangosaml2/post_binding_form.html new file mode 100644 index 00000000..5222203b --- /dev/null +++ b/djangosaml2/templates/djangosaml2/post_binding_form.html @@ -0,0 +1,15 @@ + +

+You're being redirected to a SSO login page. +Please click the button below if you're not redirected automatically within a few seconds. +

+
+ {% for key, value in params.items %} + + {% endfor %} + +
\ No newline at end of file diff --git a/djangosaml2/utils.py b/djangosaml2/utils.py index 3299da86..e13182a0 100644 --- a/djangosaml2/utils.py +++ b/djangosaml2/utils.py @@ -257,6 +257,6 @@ def _django_csp_update_decorator(): ) return else: - # script-src 'unsafe-inline' to autosubmit forms, + # autosubmit of forms uses nonce per default # form-action https: to send data to IdPs - return csp_update(SCRIPT_SRC=["'unsafe-inline'"], FORM_ACTION=["https:"]) + return csp_update(FORM_ACTION=["https:"]) From bd63d19eb6b60f230739258b613e46272daca18d Mon Sep 17 00:00:00 2001 From: Patrick Rauscher Date: Tue, 30 Apr 2024 11:04:53 +0200 Subject: [PATCH 2/4] add note to docs about nonce --- docs/source/contents/security.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/source/contents/security.md b/docs/source/contents/security.md index 46f93fea..4e0f7c49 100644 --- a/docs/source/contents/security.md +++ b/docs/source/contents/security.md @@ -34,6 +34,11 @@ guides: djangosaml2 will automatically blend in and update the headers for POST-bindings, so you must not include exceptions for djangosaml2 in your global configuration. +Note that to enable autosubmit of post-bindings inline-javascript is used. To +allow execution of this autosubmit-code a nonce is included, which works in +default configuration but may not work if you modify `CSP_INCLUDE_NONCE_IN` +to exclude `script-src`. + You can specify a custom CSP handler via the `SAML_CSP_HANDLER` setting and the warning can be disabled by setting `SAML_CSP_HANDLER=''`. See the [djangosaml2](https://djangosaml2.readthedocs.io/) documentation for more From 58f8b616cbdd482c9356361ac114f96ab57fb3ed Mon Sep 17 00:00:00 2001 From: Patrick Rauscher Date: Tue, 30 Apr 2024 11:04:59 +0200 Subject: [PATCH 3/4] bump version --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 7713acd1..267921a2 100644 --- a/setup.py +++ b/setup.py @@ -27,7 +27,7 @@ def read(*rnames): setup( name="djangosaml2", - version="1.9.2", + version="1.9.3", description="pysaml2 integration for Django", long_description=read("README.md"), long_description_content_type="text/markdown", From ff9ded108fa9e5394a90962db2de6cccc5730b95 Mon Sep 17 00:00:00 2001 From: Patrick Rauscher Date: Tue, 30 Apr 2024 15:37:35 +0200 Subject: [PATCH 4/4] add check for nonce --- djangosaml2/templates/djangosaml2/post_binding_form.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/djangosaml2/templates/djangosaml2/post_binding_form.html b/djangosaml2/templates/djangosaml2/post_binding_form.html index 5222203b..e70c183a 100644 --- a/djangosaml2/templates/djangosaml2/post_binding_form.html +++ b/djangosaml2/templates/djangosaml2/post_binding_form.html @@ -1,4 +1,4 @@ -