[英]Self submitting form in a node application
Hi im implementing an SSO client using node-oidc-provider
嗨,我正在使用node-oidc-provider
实现 SSO 客户端
Background:背景:
node-oidc-provider
has a built-in form submission that requires the user to "confirm that he wants to sign out" by clicking a button that submits a hidden form that will revoke his OAuth token. node-oidc-provider
有一个内置的表单提交,要求用户通过单击提交隐藏表单的按钮“确认他想退出”,该按钮将撤销他的 OAuth 令牌。
I would like to skip that confirmation step by self-submitting the form on page load, like the package author suggests here我想通过在页面加载时自行提交表单来跳过确认步骤,就像 package 作者在这里建议的那样
The problem:问题:
I've added a nonce to the script and meta tag but the browsers still refuse to load my script我在脚本和元标记中添加了随机数,但浏览器仍然拒绝加载我的脚本
async function getNonce () {
const crypto = require("crypto");
return crypto.randomBytes(16).toString("base64");
}
async function logoutSource (ctx, form) {
// @param ctx - koa request context
const nonce = await getNonce();
ctx.body = `<!DOCTYPE HTML>
<head>
<title>Logout</title>
<meta http-equiv="content-security-policy"
content="
script-src 'nonce-${nonce}' strict-dynamic 'unsafe-inline';
default-src 'self';
">
</head>
<body>
${form}
<script nonce="${nonce}">
var form = document.forms[0];
var input = document.createElement('input');
input.type = 'hidden';
input.name = 'logout';
input.value = 'yes';
form.appendChild(input);
form.submit();
</script>
</body>
</html>`;
Looking at the request in the browsers.network tab I see the nonce查看 browsers.network 选项卡中的请求,我看到了 nonce
However when the browser renders the response the nonce is stripped away citing a CSP violation, Im guessing there is something wrong with the meta head but after reading the CSP docs I have been unable to figure out the error然而,当浏览器呈现响应时,nonce 被剥离引用 CSP 违规,我猜元头有问题但是在阅读 CSP 文档后我无法找出错误
Update 1 Chrome shows this error message更新 1 Chrome 显示此错误消息
Firefox: Content Security Policy: The page's settings blocked the loading of a resource at inline (“script-src”).
Firefox: Content Security Policy: The page's settings blocked the loading of a resource at inline (“script-src”).
Looks like you have published two CSPs at the same time - first one ia HTTP header and second one via meta tag.看起来您同时发布了两个 CSP - 第一个是 HTTP header,第二个是通过元标记发布的。
In this case all sources should pass both CSPs unscratched to be allowed, but the first CSP doesn't have a nonce
.在这种情况下,所有来源都应该通过两个 CSP unscratched 才能被允许,但第一个 CSP 没有nonce
。
Presumably the first CSP is default CSP been published by Helmet middleware, which is in the dependencies of NodeJS.据推测,第一个 CSP 是Helmet中间件发布的默认 CSP,它在 NodeJS 的依赖项中。
Check the HTTP response header, the manual is here .查看HTTP 回复header,说明书在这里。
If Content-Security-Policy
HTTP header is present, you have 2 opts:如果存在Content-Security-Policy
HTTP header,您有 2 个选择:
nonce
into HTTP header and remove meta tag CSP.将nonce
添加到 HTTP header 并删除元标记 CSP。If this is the tricks of Helmet then CSP can be turned off using:如果这是 Helmet 的技巧,那么可以使用以下方法关闭 CSP:
// This disables the `contentSecurityPolicy` middleware but keeps the rest.
app.use(
helmet({
contentSecurityPolicy: false,
})
);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.