frame-ancestors: 'self' is removed from custom CSP

[simon-weiler-syzygy]

Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

login/ui

Describe the bug

Since the newest upgrade from 24.0.3 to 24.0.4, the CSP header gets altered by Keycloak so that "frame-ancestors: 'self'" gets removed from the policy.

This seems to have been introduced on purpose by this commit. Is there a good reason for this?

We got alerted to this by our ZAP Scan, which complains now about the missing setting.

Version

24.0.4

Regression

• The issue is a regression

Expected behavior

When I set frame-src 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self'; img-src 'self'; connect-src 'self'; font-src 'self'; media-src 'self'; manifest-src 'self'; worker-src 'self'; form-action 'self' as CSP in realm settings, I expect this to be the exact CSP header delivered to clients.

Actual behavior

The actual header in the response is Content-Security-Policy: frame-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self'; img-src 'self'; connect-src 'self'; font-src 'self'; media-src 'self'; manifest-src 'self'; worker-src 'self'; form-action 'self';.

How to Reproduce?

1. Create a new realm and use frame-src 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self'; img-src 'self'; connect-src 'self'; font-src 'self'; media-src 'self'; manifest-src 'self'; worker-src 'self'; form-action 'self' as Content-Security-Policy under Realm settings -> Security defenses.
2. Send a request like curl -v https://<hostname>/login/realms/<realm>/protocol/openid-connect/3p-cookies/step1.html
3. See in the output that the header is changed to Content-Security-Policy: frame-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self'; img-src 'self'; connect-src 'self'; font-src 'self'; media-src 'self'; manifest-src 'self'; worker-src 'self'; form-action 'self';

Anything else?

No response

[jonkoops]

Is there a good reason for this?

Yes, this would break the login flow if the iframe is embedded on a different domain, see #24568 for background information. If you were to set this to frame-ancestors: 'self' then this iframe would only be embedded on the same domain as your Keycloak server hosting it. So if you had a client that authenticates from a.com and your Keycloak server is hosted on b.com, it would simply stop working.

Closing this issue as this is working as intended.

[rmartinc]

As @jonkoops mentioned this is result of issue #24568, we need to change frame-ancestors and frame-src to allow the login of the javascript adapter. Nevertheless, in the case of the frame-ancestors if it's configured to something different to default self it is not removed. In that case it was decided to respect what you have configured. This was discussed in the PR #24577.