I have integrated the single-sign-on in our application using WsFedration(ADFS)
after the sign-out, it’s redirecting to the page as successfully log out and back to the login page.
this follow is working correctly after hosting in the windows server, but after the hosting, to the Nginx server I’m having a problem, it’s not redirecting to the login page, console error says,
Refused to frame ‘https://xxx-yyy.zzz.rr/’ because it violates the following Content Security Policy directive: "default-src ‘self’". Note that ‘frame-src’ was not explicitly set, so ‘default-src’ is used as a fallback
then I search regarding this and added the Content Security Policy (CSP) to the Nginx config file like below.
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "style-src-elem 'unsafe-inline' 'self' https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css https://fonts.googleapis.com/css";
add_header Content-Security-Policy "style-src 'unsafe-inline' 'self' https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css https://fonts.googleapis.com/css";
add_header Content-Security-Policy "frame-src 'unsafe-inline' 'self' none";
add_header Content-Security-Policy "default-src 'unsafe-inline' 'self'; https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css https://fonts.googleapis.com/css ";
add_header Content-Security-Policy "frame-ancestors 'self' 'unsafe-inline' none";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "font-src 'self' 'unsafe-inline' https://netdna.bootstrapcdn.com https://fonts.gstatic.com";
I tried several ways, but I couldn’t figure it out , if anyone can help me to fix this issue much appreciated.
thanks in advance.
2
Answers
But you trickely use unique directives in each CSP, therefore the whole set would work as intended if not the
default-src
directive. If it’s issued in a separate CSP, thedefault-src
overrides all other fallback-directives. As result you have'unsafe-inline' 'self'
rule for all directives.You have to place all directives in the one
add_header Content-Security-Policy
.https://fonts.googleapis.com/css
source should have trailing/
, because it;s a folder name, not file name.none
token should be single quoted –'none'
, and it will be ignored if it’s combined with the other sources."frame-src 'unsafe-inline' 'self' none"
– theframe-src
is not support'unsafe-inline'
token."frame-ancestors 'self' 'unsafe-inline' none"
– theframe-ancestors
is not support'unsafe-inline'
token."font-src 'self' 'unsafe-inline' https://netdna.bootstrapcdn.com https://fonts.gstatic.com"
– thefont-src
is not support'unsafe-inline'
token."default-src 'unsafe-inline' 'self'; https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css https://fonts.googleapis.com/css "
– the;
(semicolon) after'self'
does finish thedefault-src
rules set, thereforehttps://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css
is counted as directive name.Here your rules:
In my case I follow the tip of @granty about first topic
And I "remove" the Header in my Nginx configuration:
In my Keycloak the Headers of Security Defenses are: