See:
The best solution would be to let EB set the CSP header instead of relying on webserver logic to insert the header ont eh correct pages.
Concretely, we would like this CSP:
content-security-policy: default-src 'none'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self'; img-src 'self' https://static.openconex.org http://localhost:* data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'
to be automatically included on all template-based pages, including (at least):
- WAYF
- consent
- error screens
- service request
- metadata home screen
It should not be included on any pages producing XML (including SAML metadata, requests and assertions).
See:
unsafe-inlineCSP because of embedded json/js #1331The best solution would be to let EB set the CSP header instead of relying on webserver logic to insert the header ont eh correct pages.
Concretely, we would like this CSP:
to be automatically included on all template-based pages, including (at least):
It should not be included on any pages producing XML (including SAML metadata, requests and assertions).