Hi im implementing an SSO client using node-oidc-provider
Background:
node-oidc-provider
has a built-in form submission that requires the user to "confirm that he wants to sign out" by clicking a button that submits a hidden form that will revoke his OAuth token.
I would like to skip that confirmation step by self-submitting the form on page load, like the package author suggests here
The problem:
I've added a nonce to the script and meta tag but the browsers still refuse to load my script
async function getNonce () {
const crypto = require("crypto");
return crypto.randomBytes(16).toString("base64");
}
async function logoutSource (ctx, form) {
// @param ctx - koa request context
const nonce = await getNonce();
ctx.body = `<!DOCTYPE HTML>
<head>
<title>Logout</title>
<meta http-equiv="content-security-policy"
content="
script-src 'nonce-${nonce}' strict-dynamic 'unsafe-inline';
default-src 'self';
">
</head>
<body>
${form}
<script nonce="${nonce}">
var form = document.forms[0];
var input = document.createElement('input');
input.type = 'hidden';
input.name = 'logout';
input.value = 'yes';
form.appendChild(input);
form.submit();
</script>
</body>
</html>`;
Looking at the request in the browsers.network tab I see the nonce
However when the browser renders the response the nonce is stripped away citing a CSP violation, Im guessing there is something wrong with the meta head but after reading the CSP docs I have been unable to figure out the error
Update 1 Chrome shows this error message
Firefox: Content Security Policy: The page's settings blocked the loading of a resource at inline (“script-src”).
Looks like you have published two CSPs at the same time - first one ia HTTP header and second one via meta tag.
In this case all sources should pass both CSPs unscratched to be allowed, but the first CSP doesn't have a nonce
.
Presumably the first CSP is default CSP been published by Helmet middleware, which is in the dependencies of NodeJS.
Check the HTTP response header, the manual is here .
If Content-Security-Policy
HTTP header is present, you have 2 opts:
nonce
into HTTP header and remove meta tag CSP.If this is the tricks of Helmet then CSP can be turned off using:
// This disables the `contentSecurityPolicy` middleware but keeps the rest.
app.use(
helmet({
contentSecurityPolicy: false,
})
);
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.