I’m trying to increase the security of our application’s CSP and I have run into issues during the login process. Specifically around the use of form-action on the login call. The same issue applies for logging out, but as there is just a single logout URL it is relatively simple to add the url to our CSP.
This issue has been discussed in depth on the WebAppSec Content Security Policy github issue CSP: form-action and redirects · Issue #8 · w3c/webappsec-csp · GitHub, and it looks like other auth providers have run into a similar issue. I’m looking for advice on how to best approach this with auth0.
Example, I have a logout form button which points to /auth/logout, which then 302 redirects to https://#{AUTH0_DOMAIN}/v2/logout. My form-action csp for logout looks like:
form-action 'self' https://#{AUTH0_DOMAIN}/v2/logout;
Where I am running into trouble is creating a more strict CSP rule for our login page. Example, I have a login form button which points to /auth/auth0, which then, depending on the user’s interactions goes through a series of form 302 redirects, each which needs a form-action entry in the CSP to work:
Redirect 1. https://#{AUTH0_DOMAIN}/authorize
Redirect 2. https://#{AUTH0_DOMAIN}/u/login/identifier
Redirect 3. https://accounts.google.com/o/oauth2/auth
Redirect 4. https://login.us.auth0.com/login/callback
To get this working my form-action csp on the login page looks as follows (formatted with new lines for ease of reading):
form-action 'self'
https://#{AUTH0_DOMAIN}/authorize
https://#{AUTH0_DOMAIN}/u/login/identifier
https://login.us.auth0.com/login/callback
https://accounts.google.com/o/oauth2/auth
I’m not opposed to listing all possible redirects in the CSP, however I worry that I might miss some, ie what if I add facebook login? Or what if google auth2 login has an extra redirect step?
Is there a better approach here, or a way to ask auth0 for all possible redirect urls? What are others doing to combine a stricter CSP with Auth0 and login form redirects?