Error in CSP (#1138)
This commit is contained in:
parent
aca541253a
commit
93e02e1400
|
@ -637,27 +637,33 @@ sub sendHtml {
|
||||||
push @{ $req->respHeaders },
|
push @{ $req->respHeaders },
|
||||||
'X-XSS-Protection' => '1; mode=block',
|
'X-XSS-Protection' => '1; mode=block',
|
||||||
'X-Content-Type-Options' => 'nosniff';
|
'X-Content-Type-Options' => 'nosniff';
|
||||||
unless ( $req->frame or $self->conf->{portalAntiFrame} == 0 ) {
|
|
||||||
my $csp = $self->csp . "form-action 'self'";
|
# Set authorizated URL for POST
|
||||||
my $url = $args{params}->{URL};
|
my $csp = $self->csp . "form-action 'self'";
|
||||||
if ( $url and $url =~ s#https?://([^/]+).*#$1# ) {
|
my $url = $args{params}->{URL};
|
||||||
$csp .= " $url";
|
if ( $url and $url =~ s#https?://([^/]+).*#$1# ) {
|
||||||
}
|
$csp .= " $url";
|
||||||
$csp .= ';';
|
|
||||||
my @url;
|
|
||||||
if ( $req->info ) {
|
|
||||||
@url = map { s#https?://([^/]+).*#$1#; $_ }
|
|
||||||
( $req->info =~ /<iframe.*?src="(.*?)"/sg );
|
|
||||||
}
|
|
||||||
if (@url) {
|
|
||||||
$csp .= join( ' ', 'frame-ancestors', @url ) . ';';
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
push @{ $req->respHeaders }, 'X-Frame-Options' => 'DENY';
|
|
||||||
$csp .= "frame-ancestors 'none';";
|
|
||||||
}
|
|
||||||
push @{ $req->respHeaders }, 'Content-Security-Policy' => $csp;
|
|
||||||
}
|
}
|
||||||
|
$csp .= ';';
|
||||||
|
|
||||||
|
# Deny using portal in frame except if it is required
|
||||||
|
unless ( $req->frame or $self->conf->{portalAntiFrame} == 0 ) {
|
||||||
|
push @{ $req->respHeaders }, 'X-Frame-Options' => 'DENY';
|
||||||
|
$csp .= "frame-ancestors 'none';";
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check if frames need to be embedded
|
||||||
|
my @url;
|
||||||
|
if ( $req->info ) {
|
||||||
|
@url = map { s#https?://([^/]+).*#$1#; $_ }
|
||||||
|
( $req->info =~ /<iframe.*?src="(.*?)"/sg );
|
||||||
|
}
|
||||||
|
if (@url) {
|
||||||
|
$csp .= join( ' ', 'child-src', @url ) . ';';
|
||||||
|
}
|
||||||
|
|
||||||
|
# Set CSP header
|
||||||
|
push @{ $req->respHeaders }, 'Content-Security-Policy' => $csp;
|
||||||
|
|
||||||
return $self->SUPER::sendHtml( $req, $template, %args );
|
return $self->SUPER::sendHtml( $req, $template, %args );
|
||||||
}
|
}
|
||||||
|
|
|
@ -94,11 +94,11 @@ m#iframe src="http://auth.idp.com(/saml/relaySingleLogoutPOST)\?(relay=.*?)"#s,
|
||||||
( $url, $query ) = ( $1, $2 );
|
( $url, $query ) = ( $1, $2 );
|
||||||
ok(
|
ok(
|
||||||
getHeader( $res, 'Content-Security-Policy' ) =~
|
getHeader( $res, 'Content-Security-Policy' ) =~
|
||||||
/frame-ancestors auth.idp.com/,
|
/child-src auth.idp.com/,
|
||||||
' Frame is authorizated'
|
' Frame is authorizated'
|
||||||
)
|
)
|
||||||
or explain( $res->[1],
|
or explain( $res->[1],
|
||||||
'Content-Security-Policy => ...frame-ancestors auth.idp.com' );
|
'Content-Security-Policy => ...child-src auth.idp.com' );
|
||||||
|
|
||||||
ok(
|
ok(
|
||||||
$res = $issuer->_get(
|
$res = $issuer->_get(
|
||||||
|
@ -109,8 +109,9 @@ m#iframe src="http://auth.idp.com(/saml/relaySingleLogoutPOST)\?(relay=.*?)"#s,
|
||||||
),
|
),
|
||||||
'Get iframe'
|
'Get iframe'
|
||||||
);
|
);
|
||||||
ok( !defined getHeader( $res, 'Content-Security-Policy' ),
|
ok( getHeader( $res, 'Content-Security-Policy' ) !~ /frame-ancessor/,
|
||||||
' No CSP header' );
|
' Framing authorizated' )
|
||||||
|
or explain( $res->[1], 'No frame-ancessor' );
|
||||||
( $host, $url, $query ) =
|
( $host, $url, $query ) =
|
||||||
expectAutoPost( $res, 'auth.sp.com', '/saml/proxySingleLogout',
|
expectAutoPost( $res, 'auth.sp.com', '/saml/proxySingleLogout',
|
||||||
'SAMLRequest' );
|
'SAMLRequest' );
|
||||||
|
|
|
@ -103,12 +103,11 @@ m#iframe src="http://auth.sp.com(/saml/proxySingleLogout)\?(SAMLRequest=.*?)"#,
|
||||||
$url = $1;
|
$url = $1;
|
||||||
my $query = $2;
|
my $query = $2;
|
||||||
ok(
|
ok(
|
||||||
getHeader( $res, 'Content-Security-Policy' ) =~
|
getHeader( $res, 'Content-Security-Policy' ) =~ /child-src auth.sp.com/,
|
||||||
/frame-ancestors auth.sp.com/,
|
|
||||||
'Frame is authorizated'
|
'Frame is authorizated'
|
||||||
)
|
)
|
||||||
or explain( $res->[1],
|
or explain( $res->[1],
|
||||||
'Content-Security-Policy => ...frame-ancestors auth.idp.com' );
|
'Content-Security-Policy => ...child-src auth.idp.com' );
|
||||||
|
|
||||||
switch ('sp');
|
switch ('sp');
|
||||||
ok( $res = $sp->_get( $url, query => $query, accept => 'text/html' ),
|
ok( $res = $sp->_get( $url, query => $query, accept => 'text/html' ),
|
||||||
|
@ -121,8 +120,10 @@ m#iframe src="http://auth.sp.com(/saml/proxySingleLogout)\?(SAMLRequest=.*?)"#,
|
||||||
ok( $res = $issuer->_get( $url, query => $query, accept => 'text/html' ),
|
ok( $res = $issuer->_get( $url, query => $query, accept => 'text/html' ),
|
||||||
'Push SAML response to IdP' );
|
'Push SAML response to IdP' );
|
||||||
expectOK($res);
|
expectOK($res);
|
||||||
ok( !defined getHeader( $res, 'Content-Security-Policy' ),
|
ok( getHeader( $res, 'Content-Security-Policy' ) !~ /frame-ancessor/,
|
||||||
' No CSP header' );
|
' Frame can be embedded' )
|
||||||
|
or explain( $res->[1],
|
||||||
|
'Content-Security-Policy does not contain a frame-ancessor' );
|
||||||
|
|
||||||
# Test if logout is done
|
# Test if logout is done
|
||||||
switch ('issuer');
|
switch ('issuer');
|
||||||
|
|
|
@ -107,11 +107,11 @@ SKIP: {
|
||||||
$query = $2;
|
$query = $2;
|
||||||
ok(
|
ok(
|
||||||
getHeader( $res, 'Content-Security-Policy' ) =~
|
getHeader( $res, 'Content-Security-Policy' ) =~
|
||||||
/frame-ancestors auth.idp.com/,
|
/child-src auth.idp.com/,
|
||||||
'Frame is authorizated'
|
'Frame is authorizated'
|
||||||
)
|
)
|
||||||
or explain( $res->[1],
|
or explain( $res->[1],
|
||||||
'Content-Security-Policy => ...frame-ancestors auth.idp.com' );
|
'Content-Security-Policy => ...child-src auth.idp.com' );
|
||||||
|
|
||||||
switch ('issuer');
|
switch ('issuer');
|
||||||
ok(
|
ok(
|
||||||
|
@ -124,8 +124,10 @@ SKIP: {
|
||||||
'Get iframe from IdP'
|
'Get iframe from IdP'
|
||||||
);
|
);
|
||||||
expectOK($res);
|
expectOK($res);
|
||||||
ok( !defined getHeader( $res, 'Content-Security-Policy' ),
|
ok( getHeader( $res, 'Content-Security-Policy' ) !~ /frame-ancessor/,
|
||||||
' No CSP header' );
|
' Frame can be embedded' )
|
||||||
|
or explain( $res->[1],
|
||||||
|
'Content-Security-Policy does not contain a frame-ancessor' );
|
||||||
|
|
||||||
# Verify that user has been disconnected
|
# Verify that user has been disconnected
|
||||||
ok( $res = $issuer->_get( '/', cookie => "lemonldap=$idpId" ),
|
ok( $res = $issuer->_get( '/', cookie => "lemonldap=$idpId" ),
|
||||||
|
|
|
@ -86,7 +86,10 @@ ok(
|
||||||
);
|
);
|
||||||
count(1);
|
count(1);
|
||||||
expectOK($res);
|
expectOK($res);
|
||||||
ok( !defined getHeader( $res, 'Content-Security-Policy' ), ' No CSP header' );
|
ok( getHeader( $res, 'Content-Security-Policy' ) !~ /frame-ancessor/,
|
||||||
|
' Frame can be embedded' )
|
||||||
|
or explain( $res->[1],
|
||||||
|
'Content-Security-Policy does not contain a frame-ancessor' );
|
||||||
count(1);
|
count(1);
|
||||||
|
|
||||||
# Logout initiated by RP
|
# Logout initiated by RP
|
||||||
|
|
Loading…
Reference in New Issue
Block a user