From 632a0d956f05081c0226148d8cadebc99d8bfd1f Mon Sep 17 00:00:00 2001
From: Patrick Rauscher <prauscher@prauscher.de>
Date: Thu, 2 May 2024 12:45:28 +0200
Subject: [PATCH] Fix Content-Security-Policy if hash is included in script-src
 (#404)

* replace unsafe-inline with nonce for autosubmit

* add note to docs about nonce

* bump version

* add check for nonce
---
 .../templates/djangosaml2/post_binding_form.html  | 15 +++++++++++++++
 djangosaml2/utils.py                              |  4 ++--
 docs/source/contents/security.md                  |  5 +++++
 setup.py                                          |  2 +-
 4 files changed, 23 insertions(+), 3 deletions(-)
 create mode 100644 djangosaml2/templates/djangosaml2/post_binding_form.html

diff --git a/djangosaml2/templates/djangosaml2/post_binding_form.html b/djangosaml2/templates/djangosaml2/post_binding_form.html
new file mode 100644
index 00000000..e70c183a
--- /dev/null
+++ b/djangosaml2/templates/djangosaml2/post_binding_form.html
@@ -0,0 +1,15 @@
+<script type="text/javascript"{% if request.csp_nonce %} nonce="{{ request.csp_nonce }}"{% endif %}>
+	window.onload = function() {
+		document.SSO_Login.submit();
+	};
+</script>
+<p>
+You're being redirected to a SSO login page.
+Please click the button below if you're not redirected automatically within a few seconds.
+</p>
+<form method="post" action="{{ target_url }}" name="SSO_Login">
+	{% for key, value in params.items %}
+	    <input type="hidden" name="{{ key }}" value="{{ value }}" />
+	{% endfor %}
+    <input type="submit" value="Log in" />
+</form>
diff --git a/djangosaml2/utils.py b/djangosaml2/utils.py
index 3299da86..e13182a0 100644
--- a/djangosaml2/utils.py
+++ b/djangosaml2/utils.py
@@ -257,6 +257,6 @@ def _django_csp_update_decorator():
         )
         return
     else:
-        # script-src 'unsafe-inline' to autosubmit forms,
+        # autosubmit of forms uses nonce per default
         # form-action https: to send data to IdPs
-        return csp_update(SCRIPT_SRC=["'unsafe-inline'"], FORM_ACTION=["https:"])
+        return csp_update(FORM_ACTION=["https:"])
diff --git a/docs/source/contents/security.md b/docs/source/contents/security.md
index 46f93fea..4e0f7c49 100644
--- a/docs/source/contents/security.md
+++ b/docs/source/contents/security.md
@@ -34,6 +34,11 @@ guides: djangosaml2 will automatically blend in and update the headers for
 POST-bindings, so you must not include exceptions for djangosaml2 in your
 global configuration.
 
+Note that to enable autosubmit of post-bindings inline-javascript is used. To
+allow execution of this autosubmit-code a nonce is included, which works in
+default configuration but may not work if you modify `CSP_INCLUDE_NONCE_IN`
+to exclude `script-src`.
+
 You can specify a custom CSP handler via the `SAML_CSP_HANDLER` setting and the
 warning can be disabled by setting `SAML_CSP_HANDLER=''`. See the 
 [djangosaml2](https://djangosaml2.readthedocs.io/) documentation for more 
diff --git a/setup.py b/setup.py
index 7713acd1..267921a2 100644
--- a/setup.py
+++ b/setup.py
@@ -27,7 +27,7 @@ def read(*rnames):
 
 setup(
     name="djangosaml2",
-    version="1.9.2",
+    version="1.9.3",
     description="pysaml2 integration for Django",
     long_description=read("README.md"),
     long_description_content_type="text/markdown",