Add headers to allow the inline script for SSO redirect.

The script sha256 needs to be present to allow the browser to run the
script with the CSP.

The sha is for the Javascript code of the sso_callback_template:
https://github.com/openstack/keystone/blob/master/etc/sso_callback_template.html#L17-L19


Change-Id: I7dd383fcc20c8b46e8e713b28d23e9c9e45679c2
This commit is contained in:
Marc Gariepy 2019-06-04 14:43:01 -04:00 committed by Marc Gariépy (mgariepy)
parent 4d88d04f44
commit 6960c141e5

View File

@ -16,6 +16,9 @@ Listen {{ keystone_service_port }}
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set Content-Security-Policy "default-src 'self' https: wss:;"
{% if keystone_sp != {} -%}
Header set Content-Security-Policy "script-src 'sha256-oBahlBFQem+nMs1JwgcBB03Hy8nRh5e8qEGTOcxmAuM=';"
{% endif %}
Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"
{% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}