fix missing domain in child-src during SAML POST logout (#2513)

4 years ago · 913ebbd556
parent 5ba0c11b58
commit 913ebbd556
2 changed files with 7 additions and 0 deletions
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm
@ -2675,6 +2675,8 @@ sub sendLogoutRequestToProvider {
                name => $providerName,
            }
        );
+        $req->data->{cspChildSrc}->{ $self->p->cspGetHost( $logout->msg_url ) }
+          = 1;
    }

    # HTTP-SOAP
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
@ -936,6 +936,11 @@ sub sendHtml {
        @url = map { s#https?://([^/]+).*#$1#; $_ }
          ( $req->info =~ /<iframe.*?src="(.*?)"/sg );
    }
+
+    # Update child-src header from request data
+    if ( ref( $req->data->{cspChildSrc} ) eq "HASH" ) {
+        push @url, keys %{ $req->data->{cspChildSrc} };
+    }
    if (@url) {
        $csp .= join( ' ', 'child-src', @url, "'self'" ) . ';';
    }