jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Set custom csp rule for OpenID consent form submit based on schema

Browse Source
This commit is contained in:
Johannes Zellner
2023-09-26 21:25:43 +02:00
parent e91536b9e1
commit b0115acf42
1 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/oidc.js
+11
View File
@@ -487,6 +487,17 @@ function renderInteractionPage(provider) {
options.submitUrl = `${ROUTE_PREFIX}/interaction/${uid}/${options.hasAccess ? 'confirm' : 'abort'}`;
let formActionRule = '*';
// add custom schemata to csp form-action rules
client.loginRedirectUri.split(',').forEach((u) => {
try {
const url = new URL(u);
if (url.protocol) formActionRule += ` ${url.protocol}`;
} catch (e) {}
});
res.set('Content-Security-Policy', `"default-src 'none'; frame-src 'self' cloudron.io *.cloudron.io; connect-src wss: https: 'self' *.cloudron.io; script-src https: 'self' 'unsafe-inline' 'unsafe-eval'; img-src * data:; style-src https: 'unsafe-inline'; object-src 'none'; font-src https: 'self'; frame-ancestors 'none'; base-uri 'none'; form-action ${formActionRule};"`);
return res.render('interaction', options);
}
default: