Assuming that you use the SAML module, the /SSO request handler is registered in SAMLRequestHandler.java and the "document.forms[0].submit()" part is included in the saml1-post-binding.vm Velocity template which is part of the same module.
I hope this answers your question.
Hi folks,
I sincerily hope none of you have to deal with my problem. However, if you need to change your CSP headers here is how to do it so that the SAML module has no inline-code.
In multiple Velocity templates this inline-code is used. In the templates:
These templates are located in [Mendixproject_Name]/resources/SAML/templates and all have the code:
<body onload="document.forms[0].submit()">
To fix this we need to change the code in the .vm files to reference to the code in a JavaScript file within our app, instead of inline.
So for example the saml1-post-binding.vm will look like this:
##
## Velocity Template for SAML 1 HTTP-POST binding
##
## Velocity context may contain the following properties
## action - String - the action URL for the form
## binding - String - the SAML binding type in use
## TARGET - String - the relay state for the message
## SAMLResponse - String - the Base64 encoded SAML Response
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
#parse ( "/templates/add-html-head-content.vm" )
<script src="/scripts/submitLoginForm.js"></script>
</head>
<body>
<noscript>
<p>
<strong>Note:</strong> Since your browser does not support JavaScript,
you must press the Continue button once to proceed.
</p>
</noscript>
<form action="${action}" method="post">
<div>
#if($SAMLResponse)<input type="hidden" name="SAMLResponse" value="${SAMLResponse}"/>#end
#if($TARGET)<input type="hidden" name="TARGET" value="${TARGET}"/>#end
</div>
<noscript>
<div>
<input type="submit" value="Continue"/>
</div>
</noscript>
</form>
#parse ( "/templates/add-html-body-content.vm" )
</body>
</html>
Notice here that the <body> does not have the onload function anymore. Also in the <head> we have a <script> with a reference to “/scripts/submitLoginForm.js”. So the function is now replaced with a file that has the code.
To make the new .vm files work again we have to create a javascript file with the code to launch. We placed the JavaScript file in [Mendixproject_Name]/theme/scripts with the name ‘submitLoginForm.js’. The file has the following code:
window.onload = (event) => {
document.forms[0].submit();
};
Now as a final step we had to add the javascript file in the CSP-header to make sure the browser allows it. To do that you need to go to the sprintr environment of you app. When you are there:
If you might have any other questions about the CSP header, don't hesitate to ask. I'm also on the Mendix community Slack.
Go make it ;)