Skip to content

Commit 409998a

Browse files
ugravejzheaux
authored andcommitted
Add hash-based Content-Security-Policy for SAML pages
Closes gh-11631
1 parent e5ae35a commit 409998a

File tree

6 files changed

+16
-2
lines changed

6 files changed

+16
-2
lines changed

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationRequestFilter.java

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -236,6 +236,8 @@ private String createSamlPostRequestFormData(Saml2PostAuthenticationRequest auth
236236
StringBuilder html = new StringBuilder();
237237
html.append("<!DOCTYPE html>\n");
238238
html.append("<html>\n").append(" <head>\n");
239+
html.append(" <meta http-equiv=\"Content-Security-Policy\" ")
240+
.append("content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">\n");
239241
html.append(" <meta charset=\"utf-8\" />\n");
240242
html.append(" </head>\n");
241243
html.append(" <body onload=\"document.forms[0].submit()\">\n");

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2LogoutRequestFilter.java

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -215,6 +215,8 @@ private String createSamlPostRequestFormData(String location, String saml, Strin
215215
StringBuilder html = new StringBuilder();
216216
html.append("<!DOCTYPE html>\n");
217217
html.append("<html>\n").append(" <head>\n");
218+
html.append(" <meta http-equiv=\"Content-Security-Policy\" ")
219+
.append("content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">\n");
218220
html.append(" <meta charset=\"utf-8\" />\n");
219221
html.append(" </head>\n");
220222
html.append(" <body onload=\"document.forms[0].submit()\">\n");

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2RelyingPartyInitiatedLogoutSuccessHandler.java

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -119,6 +119,8 @@ private String createSamlPostRequestFormData(String location, String saml, Strin
119119
StringBuilder html = new StringBuilder();
120120
html.append("<!DOCTYPE html>\n");
121121
html.append("<html>\n").append(" <head>\n");
122+
html.append(" <meta http-equiv=\"Content-Security-Policy\" ")
123+
.append("content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">\n");
122124
html.append(" <meta charset=\"utf-8\" />\n");
123125
html.append(" </head>\n");
124126
html.append(" <body onload=\"document.forms[0].submit()\">\n");

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationRequestFilterTests.java

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -198,7 +198,9 @@ public void doFilterWhenPostFormDataIsPresent() throws Exception {
198198
given(this.factory.createPostAuthenticationRequest(any())).willReturn(request);
199199
this.filter.doFilterInternal(this.request, this.response, this.filterChain);
200200
assertThat(this.response.getHeader("Location")).isNull();
201-
assertThat(this.response.getContentAsString())
201+
assertThat(this.response.getContentAsString()).contains(
202+
"<meta http-equiv=\"Content-Security-Policy\" content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">")
203+
.contains("<body onload=\"document.forms[0].submit()\">")
202204
.contains("<form action=\"https://sso-url.example.com/IDP/SSO\" method=\"post\">")
203205
.contains("<input type=\"hidden\" name=\"SAMLRequest\"")
204206
.contains("value=\"" + relayStateEncoded + "\"");

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2LogoutRequestFilterTests.java

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -117,6 +117,9 @@ public void doFilterWhenSamlRequestThenPosts() throws Exception {
117117
String content = response.getContentAsString();
118118
assertThat(content).contains(Saml2ParameterNames.SAML_RESPONSE);
119119
assertThat(content).contains(registration.getAssertingPartyDetails().getSingleLogoutServiceResponseLocation());
120+
assertThat(content).contains(
121+
"<meta http-equiv=\"Content-Security-Policy\" content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">");
122+
assertThat(content).contains("<body onload=\"document.forms[0].submit()\">");
120123
verify(this.securityContextHolderStrategy).getContext();
121124
}
122125

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2RelyingPartyInitiatedLogoutSuccessHandlerTests.java

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright 2002-2021 the original author or authors.
2+
* Copyright 2002-2022 the original author or authors.
33
*
44
* Licensed under the Apache License, Version 2.0 (the "License");
55
* you may not use this file except in compliance with the License.
@@ -97,6 +97,9 @@ public void onLogoutSuccessWhenPostThenPostsToAssertingParty() throws Exception
9797
String content = response.getContentAsString();
9898
assertThat(content).contains(Saml2ParameterNames.SAML_REQUEST);
9999
assertThat(content).contains(registration.getAssertingPartyDetails().getSingleLogoutServiceLocation());
100+
assertThat(content).contains(
101+
"<meta http-equiv=\"Content-Security-Policy\" content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">");
102+
assertThat(content).contains("<body onload=\"document.forms[0].submit()\">");
100103
}
101104

102105
private Saml2Authentication authentication(RelyingPartyRegistration registration) {

0 commit comments

Comments
 (0)