berserker
/
microblog
2
0
Fork 1
Code Issues 12 Pull Requests Projects Releases Wiki Activity

Fix #26849 by adding the domain of the current SSO provider to the form-action CSP (#26857)

Browse Source
local
CSDUMMI 8 months ago committed by GitHub
parent 93223633fc
commit 9a70cac9de
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 25 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      app/controllers/concerns/web_app_controller_concern.rb
  2. 2
      app/serializers/initial_state_serializer.rb
  3. 24
      config/initializers/content_security_policy.rb

2
app/controllers/concerns/web_app_controller_concern.rb
Unescape View File

@ -11,7 +11,7 @@ module WebAppControllerConcern
end
def skip_csrf_meta_tags?
!(ENV['OMNIAUTH_ONLY'] == 'true' && Devise.omniauth_providers.length == 1) && current_user.nil?
!(ENV['ONE_CLICK_SSO_LOGIN'] == 'true' && ENV['OMNIAUTH_ONLY'] == 'true' && Devise.omniauth_providers.length == 1) && current_user.nil?
end
def set_app_body_class

2
app/serializers/initial_state_serializer.rb
Unescape View File

@ -113,6 +113,6 @@ class InitialStateSerializer < ActiveModel::Serializer
end
def sso_redirect
"/auth/auth/#{Devise.omniauth_providers[0]}" if ENV['OMNIAUTH_ONLY'] == 'true' && Devise.omniauth_providers.length == 1
"/auth/auth/#{Devise.omniauth_providers[0]}" if ENV['ONE_CLICK_SSO_LOGIN'] == 'true' && ENV['OMNIAUTH_ONLY'] == 'true' && Devise.omniauth_providers.length == 1
end
end

24
config/initializers/content_security_policy.rb
Unescape View File

@ -19,6 +19,22 @@ media_host ||= host_to_url(ENV['AZURE_ALIAS_HOST'])
media_host ||= host_to_url(ENV['S3_HOSTNAME']) if ENV['S3_ENABLED'] == 'true'
media_host ||= assets_host
def sso_host
return unless ENV['ONE_CLICK_SSO_LOGIN'] == 'true'
return unless ENV['OMNIAUTH_ONLY'] == 'true'
return unless Devise.omniauth_providers.length == 1
provider = Devise.omniauth_configs[Devise.omniauth_providers[0]]
@sso_host ||= begin
# using CAS
provider.cas_url if ENV['CAS_ENABLED'] == 'true'
# using SAML
provider.options[:idp_sso_target_url] if ENV['SAML_ENABLED'] == 'true'
# or using OIDC
ENV['OIDC_AUTH_ENDPOINT'] || (OpenIDConnect::Discovery::Provider::Config.discover!(ENV['OIDC_ISSUER']).authorization_endpoint if ENV['OIDC_ENABLED'] == 'true')
end
end
Rails.application.config.content_security_policy do |p|
p.base_uri :none
p.default_src :none
@ -29,7 +45,13 @@ Rails.application.config.content_security_policy do |p|
p.media_src :self, :https, :data, assets_host
p.frame_src :self, :https
p.manifest_src :self, assets_host
p.form_action :self
if sso_host.present?
p.form_action :self, sso_host
else
p.form_action :self
end
p.child_src :self, :blob, assets_host
p.worker_src :self, :blob, assets_host

Write Preview
Loading…
Cancel
Save