Spring Security Spring Security SAML2 - AuthN Request POST Binding requires CSP Header unsafe-inline scripts

Expected Behavior

When using the Content Security Policy (CSP) header and doing a SAML2 AuthN Request POST Binding, add support for 'self' or nonce or hash instead of forcing unsafe-inline.

Current Behavior

When doing AuthN Requests with the SAML2 POST Binding, Spring Security creates HTML with an onload script to submit the SAML request Saml2WebSsoAuthenticationRequestFilter.createSamlPostRequestFormData(). In order for that onload script to work when using a CSP Header, I have to include script-src 'unsafe-inline'.

Comment From: jzheaux

Duplicate of https://github.com/spring-projects/spring-security/issues/9529

Comment From: jzheaux

Based on https://github.com/spring-projects/spring-security/issues/9529#issuecomment-1178881838, there may be a simpler way to address this issue than asking applications to create a custom page. As such, I'm reopening this issue for further consideration.

Comment From: marcusdacoregio

I believe this is now fixed via https://github.com/spring-projects/spring-security/issues/11631?

Comment From: mmoussa-mapfre

Yes, it appears like #11631 allows CSP header to be used with AuthN POST Binding. I am closing this issue.