+You're being redirected to a SSO login page. +Please click the button below if you're not redirected automatically within a few seconds. +
+ diff --git a/djangosaml2/utils.py b/djangosaml2/utils.py index 3299da86..e13182a0 100644 --- a/djangosaml2/utils.py +++ b/djangosaml2/utils.py @@ -257,6 +257,6 @@ def _django_csp_update_decorator(): ) return else: - # script-src 'unsafe-inline' to autosubmit forms, + # autosubmit of forms uses nonce per default # form-action https: to send data to IdPs - return csp_update(SCRIPT_SRC=["'unsafe-inline'"], FORM_ACTION=["https:"]) + return csp_update(FORM_ACTION=["https:"]) diff --git a/docs/source/contents/security.md b/docs/source/contents/security.md index 46f93fea..4e0f7c49 100644 --- a/docs/source/contents/security.md +++ b/docs/source/contents/security.md @@ -34,6 +34,11 @@ guides: djangosaml2 will automatically blend in and update the headers for POST-bindings, so you must not include exceptions for djangosaml2 in your global configuration. +Note that to enable autosubmit of post-bindings inline-javascript is used. To +allow execution of this autosubmit-code a nonce is included, which works in +default configuration but may not work if you modify `CSP_INCLUDE_NONCE_IN` +to exclude `script-src`. + You can specify a custom CSP handler via the `SAML_CSP_HANDLER` setting and the warning can be disabled by setting `SAML_CSP_HANDLER=''`. See the [djangosaml2](https://djangosaml2.readthedocs.io/) documentation for more diff --git a/setup.py b/setup.py index 7713acd1..267921a2 100644 --- a/setup.py +++ b/setup.py @@ -27,7 +27,7 @@ def read(*rnames): setup( name="djangosaml2", - version="1.9.2", + version="1.9.3", description="pysaml2 integration for Django", long_description=read("README.md"), long_description_content_type="text/markdown",