Add headers to allow the inline script for SSO redirect.

The script sha256 needs to be present to allow the browser to run the script with the CSP. The sha is for the Javascript code of the sso_callback_template: https://github.com/openstack/keystone/blob/master/etc/sso_callback_template.html#L17-L19 Change-Id: I7dd383fcc20c8b46e8e713b28d23e9c9e45679c2
2019-06-04 14:43:01 -04:00 · 2019-06-04 14:43:01 -04:00 · 6960c141e5
parent 4d88d04f44
commit 6960c141e5
1 changed files with 3 additions and 0 deletions
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@ -16,6 +16,9 @@ Listen {{ keystone_service_port }}
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set Content-Security-Policy "default-src 'self' https: wss:;"
+    {% if keystone_sp != {} -%}
+    Header set Content-Security-Policy "script-src 'sha256-oBahlBFQem+nMs1JwgcBB03Hy8nRh5e8qEGTOcxmAuM=';"
+    {% endif %}
    Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"

    {% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}