mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-06-01 09:42:13 +00:00
Add hash-based Content-Security-Policy for SAML pages
Closes gh-11631
This commit is contained in:
parent
f86d30f4a1
commit
4393c2ea02
@ -146,6 +146,8 @@ public class Saml2WebSsoAuthenticationRequestFilter extends OncePerRequestFilter
|
|||||||
StringBuilder html = new StringBuilder();
|
StringBuilder html = new StringBuilder();
|
||||||
html.append("<!DOCTYPE html>\n");
|
html.append("<!DOCTYPE html>\n");
|
||||||
html.append("<html>\n").append(" <head>\n");
|
html.append("<html>\n").append(" <head>\n");
|
||||||
|
html.append(" <meta http-equiv=\"Content-Security-Policy\" ")
|
||||||
|
.append("content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">\n");
|
||||||
html.append(" <meta charset=\"utf-8\" />\n");
|
html.append(" <meta charset=\"utf-8\" />\n");
|
||||||
html.append(" </head>\n");
|
html.append(" </head>\n");
|
||||||
html.append(" <body onload=\"document.forms[0].submit()\">\n");
|
html.append(" <body onload=\"document.forms[0].submit()\">\n");
|
||||||
|
@ -199,6 +199,8 @@ public final class Saml2LogoutRequestFilter extends OncePerRequestFilter {
|
|||||||
StringBuilder html = new StringBuilder();
|
StringBuilder html = new StringBuilder();
|
||||||
html.append("<!DOCTYPE html>\n");
|
html.append("<!DOCTYPE html>\n");
|
||||||
html.append("<html>\n").append(" <head>\n");
|
html.append("<html>\n").append(" <head>\n");
|
||||||
|
html.append(" <meta http-equiv=\"Content-Security-Policy\" ")
|
||||||
|
.append("content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">\n");
|
||||||
html.append(" <meta charset=\"utf-8\" />\n");
|
html.append(" <meta charset=\"utf-8\" />\n");
|
||||||
html.append(" </head>\n");
|
html.append(" </head>\n");
|
||||||
html.append(" <body onload=\"document.forms[0].submit()\">\n");
|
html.append(" <body onload=\"document.forms[0].submit()\">\n");
|
||||||
|
@ -118,6 +118,8 @@ public final class Saml2RelyingPartyInitiatedLogoutSuccessHandler implements Log
|
|||||||
StringBuilder html = new StringBuilder();
|
StringBuilder html = new StringBuilder();
|
||||||
html.append("<!DOCTYPE html>\n");
|
html.append("<!DOCTYPE html>\n");
|
||||||
html.append("<html>\n").append(" <head>\n");
|
html.append("<html>\n").append(" <head>\n");
|
||||||
|
html.append(" <meta http-equiv=\"Content-Security-Policy\" ")
|
||||||
|
.append("content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">\n");
|
||||||
html.append(" <meta charset=\"utf-8\" />\n");
|
html.append(" <meta charset=\"utf-8\" />\n");
|
||||||
html.append(" </head>\n");
|
html.append(" </head>\n");
|
||||||
html.append(" <body onload=\"document.forms[0].submit()\">\n");
|
html.append(" <body onload=\"document.forms[0].submit()\">\n");
|
||||||
|
@ -170,7 +170,9 @@ public class Saml2WebSsoAuthenticationRequestFilterTests {
|
|||||||
given(this.authenticationRequestResolver.resolve(any())).willReturn(request);
|
given(this.authenticationRequestResolver.resolve(any())).willReturn(request);
|
||||||
this.filter.doFilterInternal(this.request, this.response, this.filterChain);
|
this.filter.doFilterInternal(this.request, this.response, this.filterChain);
|
||||||
assertThat(this.response.getHeader("Location")).isNull();
|
assertThat(this.response.getHeader("Location")).isNull();
|
||||||
assertThat(this.response.getContentAsString())
|
assertThat(this.response.getContentAsString()).contains(
|
||||||
|
"<meta http-equiv=\"Content-Security-Policy\" content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">")
|
||||||
|
.contains("<body onload=\"document.forms[0].submit()\">")
|
||||||
.contains("<form action=\"https://sso-url.example.com/IDP/SSO\" method=\"post\">")
|
.contains("<form action=\"https://sso-url.example.com/IDP/SSO\" method=\"post\">")
|
||||||
.contains("<input type=\"hidden\" name=\"SAMLRequest\"")
|
.contains("<input type=\"hidden\" name=\"SAMLRequest\"")
|
||||||
.contains("value=\"" + relayStateEncoded + "\"");
|
.contains("value=\"" + relayStateEncoded + "\"");
|
||||||
|
@ -111,6 +111,9 @@ public class Saml2LogoutRequestFilterTests {
|
|||||||
String content = response.getContentAsString();
|
String content = response.getContentAsString();
|
||||||
assertThat(content).contains(Saml2ParameterNames.SAML_RESPONSE);
|
assertThat(content).contains(Saml2ParameterNames.SAML_RESPONSE);
|
||||||
assertThat(content).contains(registration.getAssertingPartyDetails().getSingleLogoutServiceResponseLocation());
|
assertThat(content).contains(registration.getAssertingPartyDetails().getSingleLogoutServiceResponseLocation());
|
||||||
|
assertThat(content).contains(
|
||||||
|
"<meta http-equiv=\"Content-Security-Policy\" content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">");
|
||||||
|
assertThat(content).contains("<body onload=\"document.forms[0].submit()\">");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 2002-2021 the original author or authors.
|
* Copyright 2002-2022 the original author or authors.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
@ -97,6 +97,9 @@ public class Saml2RelyingPartyInitiatedLogoutSuccessHandlerTests {
|
|||||||
String content = response.getContentAsString();
|
String content = response.getContentAsString();
|
||||||
assertThat(content).contains(Saml2ParameterNames.SAML_REQUEST);
|
assertThat(content).contains(Saml2ParameterNames.SAML_REQUEST);
|
||||||
assertThat(content).contains(registration.getAssertingPartyDetails().getSingleLogoutServiceLocation());
|
assertThat(content).contains(registration.getAssertingPartyDetails().getSingleLogoutServiceLocation());
|
||||||
|
assertThat(content).contains(
|
||||||
|
"<meta http-equiv=\"Content-Security-Policy\" content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">");
|
||||||
|
assertThat(content).contains("<body onload=\"document.forms[0].submit()\">");
|
||||||
}
|
}
|
||||||
|
|
||||||
private Saml2Authentication authentication(RelyingPartyRegistration registration) {
|
private Saml2Authentication authentication(RelyingPartyRegistration registration) {
|
||||||
|
Loading…
x
Reference in New Issue
Block a user