Question posted in 
I have integrated the single-sign-on in our application using WsFedration(ADFS)
after the sign-out, it’s redirecting to the page as successfully log out and back to the login page.
this follow is working correctly after hosting in the windows server, but after the hosting, to the Nginx server I’m having a problem, it’s not redirecting to the login page, console error says,
Refused to frame ‘https://xxx-yyy.zzz.rr/’ because it violates the following Content Security Policy directive: "default-src ‘self’". Note that ‘frame-src’ was not explicitly set, so ‘default-src’ is used as a fallback
then I search regarding this and added the Content Security Policy (CSP) to the Nginx config file like below.
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "style-src-elem 'unsafe-inline' 'self' https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css https://fonts.googleapis.com/css";
add_header Content-Security-Policy "style-src 'unsafe-inline' 'self' https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css https://fonts.googleapis.com/css";
add_header Content-Security-Policy "frame-src 'unsafe-inline' 'self' none";
add_header Content-Security-Policy "default-src 'unsafe-inline' 'self'; https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css https://fonts.googleapis.com/css ";
add_header Content-Security-Policy "frame-ancestors 'self' 'unsafe-inline' none";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "font-src 'self' 'unsafe-inline' https://netdna.bootstrapcdn.com https://fonts.gstatic.com";
I tried several ways, but I couldn’t figure it out , if anyone can help me to fix this issue much appreciated.
thanks in advance.
2
Answers
But you trickely use unique directives in each CSP, therefore the whole set would work as intended if not the
default-srcdirective. If it’s issued in a separate CSP, thedefault-srcoverrides all other fallback-directives. As result you have'unsafe-inline' 'self'rule for all directives.You have to place all directives in the one
add_header Content-Security-Policy.https://fonts.googleapis.com/csssource should have trailing/, because it;s a folder name, not file name.nonetoken should be single quoted –'none', and it will be ignored if it’s combined with the other sources."frame-src 'unsafe-inline' 'self' none"– theframe-srcis not support'unsafe-inline'token."frame-ancestors 'self' 'unsafe-inline' none"– theframe-ancestorsis not support'unsafe-inline'token."font-src 'self' 'unsafe-inline' https://netdna.bootstrapcdn.com https://fonts.gstatic.com"– thefont-srcis not support'unsafe-inline'token."default-src 'unsafe-inline' 'self'; https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css https://fonts.googleapis.com/css "– the;(semicolon) after'self'does finish thedefault-srcrules set, thereforehttps://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.cssis counted as directive name.Here your rules:
In my case I follow the tip of @granty about first topic
And I "remove" the Header in my Nginx configuration:
In my Keycloak the Headers of Security Defenses are: