You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
login/ui
Describe the bug
Since the newest upgrade from 24.0.3 to 24.0.4, the CSP header gets altered by Keycloak so that "frame-ancestors: 'self'" gets removed from the policy.
This seems to have been introduced on purpose by this commit. Is there a good reason for this?
We got alerted to this by our ZAP Scan, which complains now about the missing setting.
Version
24.0.4
Regression
The issue is a regression
Expected behavior
When I set frame-src 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self'; img-src 'self'; connect-src 'self'; font-src 'self'; media-src 'self'; manifest-src 'self'; worker-src 'self'; form-action 'self' as CSP in realm settings, I expect this to be the exact CSP header delivered to clients.
Actual behavior
The actual header in the response is Content-Security-Policy: frame-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self'; img-src 'self'; connect-src 'self'; font-src 'self'; media-src 'self'; manifest-src 'self'; worker-src 'self'; form-action 'self';.
How to Reproduce?
Create a new realm and use frame-src 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self'; img-src 'self'; connect-src 'self'; font-src 'self'; media-src 'self'; manifest-src 'self'; worker-src 'self'; form-action 'self' as Content-Security-Policy under Realm settings -> Security defenses.
Send a request like curl -v https://<hostname>/login/realms/<realm>/protocol/openid-connect/3p-cookies/step1.html
See in the output that the header is changed to Content-Security-Policy: frame-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self'; img-src 'self'; connect-src 'self'; font-src 'self'; media-src 'self'; manifest-src 'self'; worker-src 'self'; form-action 'self';
Anything else?
No response
The text was updated successfully, but these errors were encountered:
Yes, this would break the login flow if the iframe is embedded on a different domain, see #24568 for background information. If you were to set this to frame-ancestors: 'self' then this iframe would only be embedded on the same domain as your Keycloak server hosting it. So if you had a client that authenticates from a.com and your Keycloak server is hosted on b.com, it would simply stop working.
Closing this issue as this is working as intended.
As @jonkoops mentioned this is result of issue #24568, we need to change frame-ancestors and frame-src to allow the login of the javascript adapter. Nevertheless, in the case of the frame-ancestors if it's configured to something different to default self it is not removed. In that case it was decided to respect what you have configured. This was discussed in the PR #24577.
Before reporting an issue
Area
login/ui
Describe the bug
Since the newest upgrade from 24.0.3 to 24.0.4, the CSP header gets altered by Keycloak so that "frame-ancestors: 'self'" gets removed from the policy.
This seems to have been introduced on purpose by this commit. Is there a good reason for this?
We got alerted to this by our ZAP Scan, which complains now about the missing setting.
Version
24.0.4
Regression
Expected behavior
When I set
frame-src 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self'; img-src 'self'; connect-src 'self'; font-src 'self'; media-src 'self'; manifest-src 'self'; worker-src 'self'; form-action 'self'
as CSP in realm settings, I expect this to be the exact CSP header delivered to clients.Actual behavior
The actual header in the response is
Content-Security-Policy: frame-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self'; img-src 'self'; connect-src 'self'; font-src 'self'; media-src 'self'; manifest-src 'self'; worker-src 'self'; form-action 'self';
.How to Reproduce?
frame-src 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self'; img-src 'self'; connect-src 'self'; font-src 'self'; media-src 'self'; manifest-src 'self'; worker-src 'self'; form-action 'self'
as Content-Security-Policy under Realm settings -> Security defenses.curl -v https://<hostname>/login/realms/<realm>/protocol/openid-connect/3p-cookies/step1.html
Content-Security-Policy: frame-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self'; img-src 'self'; connect-src 'self'; font-src 'self'; media-src 'self'; manifest-src 'self'; worker-src 'self'; form-action 'self';
Anything else?
No response
The text was updated successfully, but these errors were encountered: