fix: use configured binding on SAML IDPs and make sure CSP doesn't block POST binding (#7341)

fix: use configured binding on SAML IDPs and make sure CSP doesn't block POST binding
2025-01-12 09:23:39 +00:00 · 2024-02-05 15:45:15 +01:00 · 2024-02-05 15:45:15 +01:00 · 7f7fb55f34
commit 7f7fb55f34
parent c081f72d85
2 changed files with 4 additions and 1 deletions
--- a/internal/api/ui/login/login.go
+++ b/internal/api/ui/login/login.go
@ -105,7 +105,7 @@ func csp() *middleware.CSP {
 	csp := middleware.DefaultSCP
 	csp.ObjectSrc = middleware.CSPSourceOptsSelf()
 	csp.StyleSrc = csp.StyleSrc.AddNonce()
-	csp.ScriptSrc = csp.ScriptSrc.AddNonce()
+	csp.ScriptSrc = csp.ScriptSrc.AddNonce().AddHash("sha256", "AjPdJSbZmeWHnEc5ykvJFay8FTWeTeRbs9dutfZ0HqE=")
 	return &csp
 }
--- a/internal/idp/providers/saml/saml.go
+++ b/internal/idp/providers/saml/saml.go
@ -159,6 +159,9 @@ func (p *Provider) GetSP() (*samlsp.Middleware, error) {
 	if p.requestTracker != nil {
 		sp.RequestTracker = p.requestTracker
 	}
 	if p.binding != "" {
 		sp.Binding = p.binding
 	}
 	return sp, nil
 }