Skip to content

Commit fcf97f5

Browse files
FryguyFryguy
authored
Merge pull request #593 from jrafanie/fix-bricked-oidc-login-from-csp
Update CSP to allow unsafe-inline for oidc login endpoints
2 parents 55f8e06 + 0c307a3 commit fcf97f5

File tree

1 file changed

+3
-3
lines changed

1 file changed

+3
-3
lines changed

external_auth/oidc-httpd-configs/authentication.conf

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -25,14 +25,14 @@ OIDCOAuthSSLValidateServer Off
2525
Header always set Strict-Transport-Security "max-age=631138519"
2626
Header always set X-Content-Type-Options "nosniff"
2727

28-
# Minimal CSP for OIDC authentication redirects (no scripts, images, or external resources)
28+
# CSP for OIDC authentication redirects - allows inline styles/scripts needed by auth flow
2929
<Location /oidc_login>
3030
AuthType openid-connect
3131
Require valid-user
3232
FileETag None
3333
# Explicit HSTS for redundancy
3434
Header always set Strict-Transport-Security "max-age=631138519"
35-
Header set Content-Security-Policy "default-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; report-uri /dashboard/csp_report; report-to csp-endpoint"
35+
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; report-uri /dashboard/csp_report; report-to csp-endpoint"
3636
Header set Report-To "{\"group\":\"csp-endpoint\",\"max_age\":10886400,\"endpoints\":[{\"url\":\"/dashboard/csp_report\"}]}"
3737
Header Set Cache-Control "max-age=0, no-store, no-cache, must-revalidate"
3838
Header Set Pragma "no-cache"
@@ -45,7 +45,7 @@ Header always set X-Content-Type-Options "nosniff"
4545
FileETag None
4646
# Explicit HSTS for redundancy
4747
Header always set Strict-Transport-Security "max-age=631138519"
48-
Header set Content-Security-Policy "default-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; report-uri /dashboard/csp_report; report-to csp-endpoint"
48+
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; report-uri /dashboard/csp_report; report-to csp-endpoint"
4949
Header set Report-To "{\"group\":\"csp-endpoint\",\"max_age\":10886400,\"endpoints\":[{\"url\":\"/dashboard/csp_report\"}]}"
5050
Header Set Cache-Control "max-age=0, no-store, no-cache, must-revalidate"
5151
Header Set Pragma "no-cache"

0 commit comments

Comments
 (0)