'unsafe-eval' required for .net core 2.2 POST to IssuerAddress (OIDC)

[99littlebugs]

As first raised in dotnet/aspnetcore#14721. We are using ADFS with OpenID Connect for an ASP.NET core application, which we just upgraded from 2.0 to 2.2.

Once upgraded to 2.2, we found that the form POST to the ADFS server required our content security policy to have 'unsafe-eval'. The string in question is window.setTimeout('document.forms[0].submit()', 0);.
In 2.0, the script just reads document.form.submit(), and therefore works fine even with our CSP.

It seems to be coming from BuildFormPost() in AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet. I'm not sure how that repository relates to the standard .net core ones, as we aren't using any additional nuget packages for authentication. It was also hard for me to tell how those versions relate to the .net core versions and what that code used to look like.

We managed to get around this and only relax the policy when the user has no claims, aka, is trying to login, but it still seems like we are missing something.

• What is the point of setTimeout with a 0?
• Why does the argument of setTimeout need to be a string?

To Reproduce

1. Setup OIDC
2. Set a content security policy
3. Run code
4. Note how 2.2 will get blocked by browser (Chrome) but 2.0 will not.

Expected behavior

To not need to have a more relaxed content security policy for page that has the authentication form that is submitted via JavaScript.

[mafurman]

@99littlebugs If we add a setter for the 'Script' property will that address the issue?