Merge pull request #405 from jrafanie/appliance-add-csp-for-oidc-login

Add CSP for oidc_login - allow unsafe-inline

Author: Fryguy

COPY/etc/httpd/conf.d/manageiq-https-application.conf

@@ -28,8 +28,8 @@ SSLCertificateKeyFile /var/www/miq/vmdb/certs/server.cer.key
   Header unset ETag
   # Explicit HSTS needed: Location blocks using "Header set" don't inherit "Header always set" from VirtualHost
   Header always set Strict-Transport-Security   "max-age=631138519"
-  # CSP for static assets: includes directives that differ from default-src 'self' and
-  # directives that do not fall back to default-src (base-uri, form-action, frame-ancestors)
+  # CSP for static assets: strict policy since these are pre-compiled external files
+  # No unsafe-inline needed - all scripts/styles are external resources
   Header set Content-Security-Policy            "default-src 'self'; base-uri 'self'; child-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; worker-src 'self'; font-src 'self' fonts.gstatic.com fonts.googleapis.com; img-src 'self' data:; style-src 'self' fonts.googleapis.com fonts.gstatic.com; report-uri /dashboard/csp_report; report-to csp-endpoint"
   Header set Report-To                          "{\"group\":\"csp-endpoint\",\"max_age\":10886400,\"endpoints\":[{\"url\":\"/dashboard/csp_report\"}]}"
   Header set X-Content-Type-Options             "nosniff"

TEMPLATE/etc/httpd/conf.d/manageiq-external-auth-openidc.conf.erb

@@ -16,23 +16,30 @@ OIDCOAuthIntrospectionEndpoint     <%= oidc_introspection_endpoint %>
 OIDCOAuthIntrospectionEndpointAuth client_secret_basic
 OIDCCookieSameSite                 On
 
+# CSP for OIDC authentication redirects - allows inline styles/scripts needed by auth flow
 <Location /oidc_login>
-  AuthType  openid-connect
-  Require   valid-user
-  FileETag  None
-  Header    Set Cache-Control "max-age=0, no-store, no-cache, must-revalidate"
-  Header    Set Pragma "no-cache"
-  Header    Unset ETag
+  AuthType                   openid-connect
+  Require                    valid-user
+  FileETag                   None
+  Header always set Strict-Transport-Security "max-age=631138519"
+  Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; report-uri /dashboard/csp_report; report-to csp-endpoint"
+  Header set Report-To       "{\"group\":\"csp-endpoint\",\"max_age\":10886400,\"endpoints\":[{\"url\":\"/dashboard/csp_report\"}]}"
+  Header Set Cache-Control   "max-age=0, no-store, no-cache, must-revalidate"
+  Header Set Pragma          "no-cache"
+  Header Unset ETag
 </Location>
 
 <Location /ui/service/oidc_login>
-  AuthType  openid-connect
-  Require   valid-user
-  FileETag  None
-  Header    Set Cache-Control "max-age=0, no-store, no-cache, must-revalidate"
-  Header    Set Pragma "no-cache"
-  Header    Set Set-Cookie "miq_oidc_access_token=%{OIDC_access_token}e; Max-Age=10; Path=/ui/service"
-  Header    Unset ETag
+  AuthType                   openid-connect
+  Require                    valid-user
+  FileETag                   None
+  Header always set Strict-Transport-Security "max-age=631138519"
+  Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; report-uri /dashboard/csp_report; report-to csp-endpoint"
+  Header set Report-To       "{\"group\":\"csp-endpoint\",\"max_age\":10886400,\"endpoints\":[{\"url\":\"/dashboard/csp_report\"}]}"
+  Header Set Cache-Control   "max-age=0, no-store, no-cache, must-revalidate"
+  Header Set Pragma          "no-cache"
+  Header Set Set-Cookie      "miq_oidc_access_token=%{OIDC_access_token}e; Max-Age=10; Path=/ui/service"
+  Header Unset ETag
 </Location>
 
 <LocationMatch ^/api(?!\/(v[\d\.]+\/)?product_info$)>