This repository has been archived by the owner on Jul 31, 2024. It is now read-only.
RequireCspFrameSrcForSignout = false does not sign out websites using front channel #2224
Comments
|
I think disabling the entire CSP header is this flag is set is the fix. |
brockallen
added a commit
that referenced
this issue
Apr 14, 2018
…FrameSrcForSignout is configured to disable #2224
|
Fixed. Please test our nightly build and let me know how it's working. |
|
I wasn't available to test this until today, and, I was able to test with the recently released v2.2 and it worked properly as expected. |
|
Good to hear. Thanks |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I have one client I was configuring which itself wraps another website on a different domain. Under the default settings, it was not being properly signed out on the logout page defined by the QuickStart UI. I found an error in the browser console stating the redirect was not allowed due to the
frame-srcvalue. I found that theframe-srccould be disabled by setting theRequireCspFrameSrcForSignoutproperty. However, now none of the iframes for the front channel sign out process will load. The browser console says the pages will not load due to thedefault-srcvalue. The source code shows that this value is being set to'none', whether or not theRequireCspFrameSrcForSignoutis set.The text was updated successfully, but these errors were encountered: