SAML SSO Module - CORS Issue

[avenjamin]

Just bought the SAML SSO module and when pressing logout I'm seeing this error in the browser console:

Refused to load https://login.microsoftonline.com/....../saml2 because it does not appear in the form-action directive of the Content Security Policy.

Can the Logout URL be added to the header CSP which is currently this:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' ; img-src * 'self' data:; font-src * 'self' data:; style-src * 'self' 'unsafe-inline'; form-action 'self'; frame-src * 'self'; script-src 'self' 'nonce-hkz3L3FGXs4c9isEFS7AICaAj'  ;">

FreeScout version: 1.8.203

[avenjamin]

Note that I have the Logout URL configured to

https://login.microsoftonline.com/..../saml2

If i change it to:

https://my-freescout-url.com/login

Then it logs out without issue.

[freescout-help]

Are you using official SAML SSO Module? https://freescout.net/module/saml/
It does not have this kind of issue on logging out.

[avenjamin]

Yes we are using the official module.

It seems to be on the /logout route that it's trying to load the SAML Logoff URL but because of the CORS error it doesn't redirect and nothing happens (other than a browser console log)

When I updated the form-action part of the policy the url loaded.

I've since configured the logoff URL to be the /login route and it's working fine.

[freescout-help]

It still not clear why happens for you. Maybe some screenshots will be helpful.

[NeptunedGmbH]

similar issue on OAUTH Module for me

[freescout-help]

What browser are you using?

[freescout-help]

We've reproduced it: it happens in Chrome for example but does not happen in Firefox.

[freescout-help]

@avenjamin "When I updated the form-action part of the policy the url loaded."

How did you modify it?

[NeptunedGmbH]

What browser are you using?

happened in Arc and Safari

[freescout-help]

Fixed in the master branch and will be published in the next release.