Description
SAML with POST-Bindings has inherent problems with Content-Security-Policies being in-place: The three views LoginView, LogoutView and LogoutInitView all need at least form-action https: and probably script-src 'unsafe-inline' to autostart redirection.
Gladly, django-csp exists and allows for quite easy setting of these headers, so if an application activates them, djangosaml2 won't work any longer due to CSP restrictions being enabled. As most users probably do not want to enable unsafe-inline and form-action to any https-site, djangosaml2 should update the values like using
@csp_update(SCRIPT_SRC=["'unsafe-inline'"], FORM_ACTION=["https:"]).
My current implementation as a quickfix is btw:
from csp.deorators import csp_update
from djangosaml2 import views as saml2_views
saml2_csp = csp_update(SCRIPT_SRC=["'unsafe-inline'"], FORM_ACTION=["https:"])
urlpatterns = [
path("login/", saml2_csp(saml2_views.LoginView.as_view()), name="saml2_login"),
path("acs/", saml2_views.AssertionConsumerServiceView.as_view(), name="saml2_acs"),
path("logout/", saml2_cspsaml2_views.LogoutInitView.as_view(), name="saml2_logout"),
path("ls/", saml2_cspsaml2_views.LogoutView.as_view()), name="saml2_ls"),
path("ls/post/", saml2_cspsaml2_views.LogoutView.as_view()), name="saml2_ls_post"),
path("metadata/", saml2_views.MetadataView.as_view(), name="saml2_metadata"),
...]
instead of
urlpatterns = [include("djangosaml2.urls"), ...]
If one were to implement this properly, one option would probably be to do something like
try:
from csp.decorators import csp_update
except ImportError:
def saml2_csp(func):
return func
else:
saml2_csp = csp_update(SCRIPT_SRC=["'unsafe-inline'"], FORM_ACTION=["https:"])
[...]
@method_decorator(saml2_csp, name='dispatch')
class LoginView(...):