Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • cesnet_simplesamlphp-1.19.8
  • elixir_simplesamlphp-1.19.8
  • simplesamlphp-1.19.8
  • cesnet_simplesamlphp-1.19.5
  • simplesamlphp-2.0
  • feature/assets
  • feature/rac-source-selector
  • cleanup/remove-base64-attributes
  • simplesamlphp-1.19
  • elixir_simplesamlphp-1.19.5
  • aarc_idp_hinting
  • feature/validate-authstate-before-processing
  • feature/build-two-tarballs
  • dependabot/composer/twig/twig-3.4.3
  • tvdijen-patch-1
  • unchanged-acs-url-no-www-script
  • feature/translation-improvements
  • symfony6
  • move_tests
  • v1.19.9
  • v2.1.3
  • v2.0.10
  • v2.1.2
  • v2.0.9
  • v2.1.1
  • v2.0.8
  • v2.1.0
  • v2.0.7
  • v2.1.0-rc1
  • v2.0.6
  • v2.0.5
  • 2.0.4-alpha.1
  • v2.0.4-alpha.1
  • v2.0.4
  • v2.0.3
  • v2.0.2
  • v2.0.1-alpha.1
  • v2.0.1
  • v1.19.8
40 results
Blame History Permalink
  • Jan de Mooij's avatar
    Make POST template compatible with CSP (#635) · 9c49e503
    Jan de Mooij authored 
    See issue #593 for a problem description.
SimpleSamlPHP makes use of unsafe inline Javascript and CSS elements.
Although most generated HTML uses SimpleSamlPHP's own headers, the
keepPost option in an authentication request uses the headers of
the PHP application it is sent from. This forces web applications
using SimpleSamlPHP to allow 'unsafe-inline' in their Content
Security Policy.

This commit fixes this issue for the keepPost page ''only'', to
allow PHP applications using SimpleSamlPHP to use a more strict
Content Security Policy. This does not take away from possible
XSS vulnerabilities in other parts of SimpleSamlPHP.
    9c49e503
Code owners
Assign users and groups as approvers for specific file changes. Learn more.