CSP /connect/authorize endpoint response

[fcavaco]

Hello, I have been recently tasked on adding csp to our identityserver4 implementation. We have a test app that uses idsrv authorize endpoint. i.e. this issue occurs while calling from the test app to the authorize endpoint and redirecting to the test app endpoint with token.

Question / Steps to reproduce the problem

when idsrv redirects back from the authorize endpoint it presents the html below which in turn fails csp validation with:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src https://XXXX 'self' ". Either the 'unsafe-inline' keyword, a hash ('sha256-orD0/VhH8hLqrLxKHD/HUEMdwqX6/0ve7c5hspX5VJ8='), or a nonce ('nonce-...') is required to enable inline execution.

The response Header is: Content-Security-Policy: default-src 'self' ; script-src https://XXXX 'self' ;

is there anyway can avoid this issue? thought on making the csp directive on the idsrv more generic regarding the domain name but don't really want to allow inline scripts... ?

Minimal working example

<html>
    <head>
        <base target='_self'/>
    </head>
    <body>
        <form method='post' action='https://identity-test/signin-oidc'>
            <input type='hidden' name='code' value='XXX'/>
            <input type='hidden' name='id_token' value='eyXXX'/>
            <input type='hidden' name='scope' value='XXX'/>
            <input type='hidden' name='state' value='XXX'/>
            <input type='hidden' name='session_state' value='XXX'/>
            <noscript>
                <button>Click to continue</button>
            </noscript>
        </form>
        <script>
            window.addEventListener('load', function() {
                document.forms[0].submit();
            });
        </script>
    </body>
</html>

[Y90SMH]

Can you add the hash to your CSP? Or have you seen it change between tests?

[fcavaco]

not really sure how to take advantage of the hash or nonce idsrv sends in the response?!

[Y90SMH]

If your current response header is: Content-Security-Policy: default-src 'self'; script-src https://XXXX 'self';

Then the following should work: Content-Security-Policy: default-src 'self'; script-src https://XXXX 'self' 'sha256-orD0/VhH8hLqrLxKHD/HUEMdwqX6/0ve7c5hspX5VJ8=';

[brockallen]

when idsrv redirects back from the authorize endpoint it presents the html below which in turn fails csp validation with: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src https://XXXX 'self' ". Either the 'unsafe-inline' keyword, a hash ('sha256-orD0/VhH8hLqrLxKHD/HUEMdwqX6/0ve7c5hspX5VJ8='), or a nonce ('nonce-...') is required to enable inline execution.

There's no hash in the CSP response headers? This code should be adding it:

https://github.com/IdentityServer/IdentityServer4/blob/master/src/IdentityServer4/src/Endpoints/Results/AuthorizeResult.cs#L130

[brockallen]

Any update?

[fcavaco]

Sorry for just now returning to this, thanks that solved the issue. i.e. adding the sha above to the script-src set. needed to do so including single quotes though... 'SHA' ...

although as I am using nwebsec package, would love to have a way of not overriding csp already emitted by IS4 endpoint !?

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.