dotnet/aspnetcore

Empty body responses can violate content security policy

Open

#4.652 geöffnet am 29. Mai 2018

Auf GitHub ansehen
 (2 Kommentare) (0 Reaktionen) (0 zugewiesene Personen)C# (10.653 Forks)batch import
area-authenhancementhelp wanted

Repository-Metriken

Stars
 (37.933 Stars)
PR-Merge-Metriken
 (Durchschn. Merge 16T 9h) (258 gemergte PRs in 30 T)

Beschreibung

Overview

I have a basic MVC website utilizing OIDC with authorization code flow for authentication. After implementing a content security policy, remote sign out will no longer function.

On remote signout the OpenIdConnectHandler will respond with a response of code 200 but with no body. As a result, browsers will interpret the response by improvising the text/html content. This can result in a content security policy violation based on the browser's improvisation.

Reproduction

I have a repository with the most basic configuration. Using Chrome, navigate directly to the RemoteSignOutPath (/signout-oidc) Chrome will report a content security policy violation from the pre element's inline style:

<html>
    <head></head>
    <body>
        <pre style="word-wrap: break-word; white-space: pre-wrap;"></pre>
    </body>
</html>

Currently there is limited recourse. I understand I have several options: using 'unsafe-inline', overriding the remote sign out implementation via the OnRemoteSignOut event, or add middleware to change the content security policy for the RemoteSignOutPath specifically. These options are somewhat contrived and not what I would think ideal. However, if there is a better solution that I am overlooking I would appreciate any insight.

I would request consideration for the text/html status code 200 HTTP responses include a body to avoid this browser improvisation.

Contributor Guide