[keycloak-dev] Improved CSP support

[Johannes Knutsen]

Hi,

I am currently looking at improvements in the Content Security Policy
(CSP) support.

In our deployment, we have security requirements stating that a CSP
header should be used and inline scripts, styles and resources should
be blocked. For example by setting a CSP value like default-src
'self';.

Such a policy breaks Keycloak's manipulation of the browser history
implemented in the BrowserHistoryHelper, since the
JavascriptHistoryReplace injects an inline JavaScript.

The simplest workaround is to also inject a nonce value or SHA hash of
the script to the existing CSP header.

However, while implementing this, I found that a CSP nonce in general
would be nice to have available in any template context. This will
also make it easier to migrate the default Keycloak theme to support
stricter security policies.

An example implementation can be found here:
https://github.com/knutz3n/keycloak/commit/c6cfb3efa2942d7569066c0e4bd90a2ed75a0005

Would you be interested in merging a change like the one above? If
not, what is your view on how to allow stricter content security
policies?
Tests and documentation is currently missing, but I will add both if
this is something you would consider merging.

As a note, I have also done some work on supporting a strict CSP value
for the default theme. But there are some issues with included 3rd
party scripts which must/should be resolved. Let me know if you want
more details regarding this.

Best regards,
Johannes Knutsen