Make Login.ashx page CSP-compliant

bwfox · bwfox · commit 9ba43f8a3b83 · 2026-04-07T11:37:45.000+01:00
The page used `&lt;body onload="document.forms[0].submit()"&gt;` which is not
compliant with our stricter Content-Security Policy as that will block
all in-line JavaScript. Instead use a &lt;script&gt; element to auto-submit
the form.

Note: In order to populate the nonce attribute in the new script
element, we need the value of the nonce for that request. The simplest
way to get this is to pull this out of the HTTP Context, which is what
this change does, but this adds an additional level of coupling between
the library and the application using it.
diff --git a/src/SAML2/Bindings/HttpPostBindingBuilder.cs b/src/SAML2/Bindings/HttpPostBindingBuilder.cs
@@ -90,8 +90,9 @@ public string Response
         /// <summary>
         /// Gets the ASP.Net page that will serve html to user agent.
         /// </summary>
+        /// <param name="cspNonce"></param>
         /// <returns>The Page.</returns>
-        public Page GetPage()
+        public Page GetPage(string cspNonce)
         {
             if (_request == null && _response == null)
             {
@@ -112,7 +113,7 @@ public Page GetPage()
             var head = new HtmlHead { Title = "SAML2.0 POST binding" };
             p.Controls.Add(head);            
 
-            p.Controls.Add(new LiteralControl(Environment.NewLine + "<body onload=\"document.forms[0].submit()\">" + Environment.NewLine));
+            p.Controls.Add(new LiteralControl(Environment.NewLine + "<body>" + Environment.NewLine));
             p.Controls.Add(new LiteralControl("<noscript><p><strong>Note:</strong> Since your browser does not support JavaScript, you must press the Continue button once to proceed.</p></noscript>"));                                   
 
             p.Controls.Add(new LiteralControl("<form action=\"" + _destinationEndpoint.Url + "\" method=\"post\"><div>"));
@@ -137,7 +138,10 @@ public Page GetPage()
             p.Controls.Add(action);
 
             p.Controls.Add(new LiteralControl("<noscript><div><input type=\"submit\" value=\"Continue\"/></div></noscript>"));
-            p.Controls.Add(new LiteralControl("</div></form>"));                                      
+            p.Controls.Add(new LiteralControl("</div></form>"));
+
+            var nonceString = string.IsNullOrEmpty(cspNonce) ? "" : $" nonce={cspNonce}";
+            p.Controls.Add(new LiteralControl(Environment.NewLine + $"<script{nonceString}>document.forms[0].submit();</script>"));
             p.Controls.Add(new LiteralControl(Environment.NewLine + "</body>" + Environment.NewLine + "</html>"));
 
             return p;
diff --git a/src/SAML2/Protocol/Saml20LogoutHandler.cs b/src/SAML2/Protocol/Saml20LogoutHandler.cs
@@ -363,7 +363,8 @@ private void HandleRequest(HttpContext context)
                 XmlSignatureUtils.SignDocument(responseDocument, response.Id);
                 builder.Response = responseDocument.OuterXml;
                 builder.RelayState = context.Request.Params["RelayState"];
-                builder.GetPage().ProcessRequest(context);
+                var cspNonce = HttpContext.Current.Items["CSP-Script-Nonce"] as string;
+                builder.GetPage(cspNonce).ProcessRequest(context);
             }
         }
 
@@ -484,7 +485,8 @@ private void TransferClient(IdentityProviderElement idp, HttpContext context)
 
                 Logger.DebugFormat(TraceMessages.LogoutRequestSent, idp.Id, "POST", builder.Request);
 
-                builder.GetPage().ProcessRequest(context);
+                var cspNonce = HttpContext.Current.Items["CSP-Script-Nonce"] as string;
+                builder.GetPage(cspNonce).ProcessRequest(context);
                 context.Response.End();
                 return;
             }
diff --git a/src/SAML2/Protocol/Saml20SignonHandler.cs b/src/SAML2/Protocol/Saml20SignonHandler.cs
@@ -727,7 +727,8 @@ private void TransferClient(IdentityProviderElement identityProvider, Saml20Auth
 
                     Logger.DebugFormat(TraceMessages.AuthnRequestSent, postBuilder.Request);
 
-                    postBuilder.GetPage().ProcessRequest(context);
+                    var cspNonce = HttpContext.Current.Items["CSP-Script-Nonce"] as string;
+                    postBuilder.GetPage(cspNonce).ProcessRequest(context);
                     break;
                 case BindingType.Artifact:
                     Logger.DebugFormat(TraceMessages.AuthnRequestPrepared, identityProvider.Id, Saml20Constants.ProtocolBindings.HttpArtifact);

Original file line number	Diff line number	Diff line change
`@@ -363,7 +363,8 @@ private void HandleRequest(HttpContext context)`
`363`	`363`	`XmlSignatureUtils.SignDocument(responseDocument, response.Id);`
`364`	`364`	`builder.Response = responseDocument.OuterXml;`
`365`	`365`	`builder.RelayState = context.Request.Params["RelayState"];`
`366`		`- builder.GetPage().ProcessRequest(context);`
	`366`	`+ var cspNonce = HttpContext.Current.Items["CSP-Script-Nonce"] as string;`
	`367`	`+ builder.GetPage(cspNonce).ProcessRequest(context);`
`367`	`368`	`}`
`368`	`369`	`}`
`369`	`370`
`@@ -484,7 +485,8 @@ private void TransferClient(IdentityProviderElement idp, HttpContext context)`
`484`	`485`
`485`	`486`	`Logger.DebugFormat(TraceMessages.LogoutRequestSent, idp.Id, "POST", builder.Request);`
`486`	`487`
`487`		`- builder.GetPage().ProcessRequest(context);`
	`488`	`+ var cspNonce = HttpContext.Current.Items["CSP-Script-Nonce"] as string;`
	`489`	`+ builder.GetPage(cspNonce).ProcessRequest(context);`
`488`	`490`	`context.Response.End();`
`489`	`491`	`return;`
`490`	`492`	`}`