fix: use configured binding on SAML IDPs and make sure CSP doesn't block POST binding (#7341)

fix: use configured binding on SAML IDPs and make sure CSP doesn't block POST binding (cherry picked from commit 7f7fb55f34)
2024-12-14 11:58:02 +00:00 · 2024-02-05 15:45:15 +01:00 · 2024-02-05 15:45:15 +01:00 · 904ab0db5b
commit 904ab0db5b
parent ddf869bb22
2 changed files with 4 additions and 1 deletions
--- a/internal/api/ui/login/login.go
+++ b/internal/api/ui/login/login.go
@ -105,7 +105,7 @@ func csp() *middleware.CSP {
 	csp := middleware.DefaultSCP
 	csp.ObjectSrc = middleware.CSPSourceOptsSelf()
 	csp.StyleSrc = csp.StyleSrc.AddNonce()
-	csp.ScriptSrc = csp.ScriptSrc.AddNonce()
+	csp.ScriptSrc = csp.ScriptSrc.AddNonce().AddHash("sha256", "AjPdJSbZmeWHnEc5ykvJFay8FTWeTeRbs9dutfZ0HqE=")
 	return &csp
 }

--- a/internal/idp/providers/saml/saml.go
+++ b/internal/idp/providers/saml/saml.go
@ -159,6 +159,9 @@ func (p *Provider) GetSP() (*samlsp.Middleware, error) {
 	if p.requestTracker != nil {
 		sp.RequestTracker = p.requestTracker
 	}
+	if p.binding != "" {
+		sp.Binding = p.binding
+	}
 	return sp, nil
 }