From 1d1a7920434e2c87b086578af76c37ef2ee63388 Mon Sep 17 00:00:00 2001 From: John van der Wulp Date: Mon, 9 Mar 2026 10:03:18 +0100 Subject: [PATCH] Chagned CSP to allow only values via SetAllowedFormAction --- backend/internal/controller/oidc_controller.go | 11 ++++++----- backend/internal/middleware/csp_middleware.go | 7 ++++--- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/backend/internal/controller/oidc_controller.go b/backend/internal/controller/oidc_controller.go index 8d179cb0..51a9681b 100644 --- a/backend/internal/controller/oidc_controller.go +++ b/backend/internal/controller/oidc_controller.go @@ -94,17 +94,18 @@ func (oc *OidcController) authorizeHandler(c *gin.Context) { return } - // Set the allowed form-action in CSP when response_mode is form_post - if input.ResponseMode == "form_post" && input.CallbackURL != "" { - middleware.SetAllowedFormAction(c, input.CallbackURL) - } - code, callbackURL, err := oc.oidcService.Authorize(c.Request.Context(), input, c.GetString("userID"), c.ClientIP(), c.Request.UserAgent()) if err != nil { _ = c.Error(err) return } + // Set the allowed form-action in CSP after validation (when response_mode is form_post) + // Only set if we have a valid callback URL from the service + if input.ResponseMode == "form_post" && callbackURL != "" { + middleware.SetAllowedFormAction(c, callbackURL) + } + response := dto.AuthorizeOidcClientResponseDto{ Code: code, CallbackURL: callbackURL, diff --git a/backend/internal/middleware/csp_middleware.go b/backend/internal/middleware/csp_middleware.go index 47a6d724..92d8220a 100644 --- a/backend/internal/middleware/csp_middleware.go +++ b/backend/internal/middleware/csp_middleware.go @@ -34,12 +34,14 @@ func (m *CspMiddleware) Add() gin.HandlerFunc { nonce := generateNonce() c.Set("csp_nonce", nonce) + // Let the handler run first, then set CSP header with the final context values + c.Next() + // Determine if there is an EXTRA target beyond 'self' + // This is set by handlers (e.g., OIDC authorize) after validating the redirect URI var extraAction string if v, ok := c.Get("csp_allowed_form_action"); ok { extraAction, _ = v.(string) - } else if c.Query("response_mode") == "form_post" { - extraAction = c.Query("redirect_uri") } // 'self' is kept in the string; extraAction is just appended @@ -54,7 +56,6 @@ func (m *CspMiddleware) Add() gin.HandlerFunc { "script-src 'self' 'nonce-" + nonce + "'" c.Writer.Header().Set("Content-Security-Policy", csp) - c.Next() } }