Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Option to register SSO Domain for CSP header #492

Open
valentin-ok opened this issue Aug 17, 2022 · 2 comments
Open

Feature: Option to register SSO Domain for CSP header #492

valentin-ok opened this issue Aug 17, 2022 · 2 comments
Labels
feature

Comments

@valentin-ok
Copy link

Hi,

if you toggle the SSO redirect, you'll get a CSP Error when the SSO provider is on a different domain than the matrix server.

It would be great if we could have a field when toggling this switch to input the SSO server to register it with the CSP headers without modifying the nextcloud source code.

Best regards

csp
@pasith3e
Copy link

Hi,

from my testing is this a two sited Issue which also needs changes on the Matrix Server Side.
On my Nginx Ingress Controller for Kubernetes I added for the Synapse Ingress:

   nginx.ingress.kubernetes.io/server-snippet: |
      more_set_headers "Content-Security-Policy: frame-ancestors https://$NEXTCLOUD_DOMAIN";

And for Nextcloud Ingress:

    nginx.ingress.kubernetes.io/server-snippet: |
      more_set_headers "Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src $NEXTCLOUD_DOMAIN 'unsafe-eval' 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: *;font-src 'self' data:;connect-src 'self' *;media-src 'self' * blob: ;object-src *;frame-src 'self' blob: *;frame-ancestors $SSO_DOMAIN 'self' $NEXTCLOUD_DOMAIN;form-action 'self'";

I'm sure you don´t need all the parameters but this works for me

@craigify
Copy link

craigify commented Dec 10, 2023
edited
Loading

Thanks for making me realize that I could use the reverse proxies to handle this. I run apache instead of nginx.

On Synapse I added the following Apache directive so that it would modify the header only in the authn response workflow. This allows Synapse to run inside of the iframe:

<Location /_synapse/client/saml2/authn_response>
  Header set Content-Security-Policy "frame-ancestors https://nextcloud.domain.com;"
  Header unset X-Frame-Options
</Location>

Then on the apache reverse proxy for nextcloud. This allows nextcloud to load riotchat, the SSO login page, and the matrix authN response page inside of the iframe:

<LocationMatch /apps/riotchat>
  Header unset Content-Security-Policy
  Header always set Content-Security-Policy "frame-src 'self' https://nextcloud.domain.com https://matrix.domain.com https://sso.domain.com; frame-ancestors 'self';>
</LocationMatch>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@craigify @gary-kim @pasith3e @valentin-ok