Elgato_dark/products
1
0
Fork 0
mirror of https://github.com/DuendeSoftware/products synced 2026-05-24 09:28:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #2296 from DuendeSoftware/pg/introduce-csp-header-validation-tests-74

Browse source 
Resolve CSP by moving it to a not dotnet formattable file
This commit is contained in:
Pieter Germishuys 2025-12-08 10:32:34 +01:00 committed by GitHub
commit 2e84cf52fb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 320 additions and 300 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
identity-server/src/IdentityServer/Duende.IdentityServer.csproj
View file

@ -31,4 +31,9 @@
</Compile>
</ItemGroup>
<ItemGroup>
<None Remove="Endpoints\Results\check-session-result.js" />
<EmbeddedResource Include="Endpoints\Results\check-session-result.js" />
</ItemGroup>
</Project>

317
identity-server/src/IdentityServer/Endpoints/Results/CheckSessionResult.cs
View file

@ -21,6 +21,7 @@ internal class CheckSessionHttpWriter : IHttpResponseWriter<CheckSessionResult>
{
public CheckSessionHttpWriter(IdentityServerOptions options) => _options = options;
private static readonly string CheckSessionScript = GetEmbeddedResource($"{typeof(CheckSessionHttpWriter).Namespace}.check-session-result.js");
private IdentityServerOptions _options;
private static volatile string FormattedHtml;
private static readonly object Lock = new object();
@ -43,7 +44,9 @@ internal class CheckSessionHttpWriter : IHttpResponseWriter<CheckSessionResult>
{
if (cookieName != LastCheckSessionCookieName)
{
FormattedHtml = Html.Replace("{cookieName}", cookieName, StringComparison.InvariantCulture);
FormattedHtml = Html.Replace("{cookieName}", cookieName, StringComparison.InvariantCulture)
.Replace("{script}", CheckSessionScript, StringComparison.InvariantCulture)
.ReplaceLineEndings("\n");
LastCheckSessionCookieName = cookieName;
}
}
@ -51,6 +54,19 @@ internal class CheckSessionHttpWriter : IHttpResponseWriter<CheckSessionResult>
return FormattedHtml;
}
private static string GetEmbeddedResource(string resourceName)
{
var assembly = typeof(CheckSessionHttpWriter).Assembly;
using var stream = assembly.GetManifestResourceStream(resourceName);
if (stream == null)
{
throw new InvalidOperationException($"Embedded resource '{resourceName}' not found.");
}
using var reader = new StreamReader(stream);
return reader.ReadToEnd();
}
private const string Html = @"
<!DOCTYPE html>
<!--Copyright (c) Duende Software. All rights reserved.-->
@ -62,304 +78,7 @@ internal class CheckSessionHttpWriter : IHttpResponseWriter<CheckSessionResult>
</head>
<body>
<script id='cookie-name' type='application/json'>{cookieName}</script>
<script>
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
/* SHA-256 implementation in JavaScript (c) Chris Veness 2002-2014 / MIT Licence */
/* */
/* - see http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html */
/* http://csrc.nist.gov/groups/ST/toolkit/examples.html */
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
/* jshint node:true *//* global define, escape, unescape */
'use strict';
/**
* SHA-256 hash function reference implementation.
*
* @namespace
*/
var Sha256 = {};
/**
* Generates SHA-256 hash of string.
*
* @param {string} msg - String to be hashed
* @returns {string} Hash of msg as hex character string
*/
Sha256.hash = function(msg) {
// convert string to UTF-8, as SHA only deals with byte-streams
msg = msg.utf8Encode();
// constants [§4.2.2]
var K = [
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 ];
// initial hash value [§5.3.1]
var H = [
0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19 ];
// PREPROCESSING
msg += String.fromCharCode(0x80); // add trailing '1' bit (+ 0's padding) to string [§5.1.1]
// convert string msg into 512-bit/16-integer blocks arrays of ints [§5.2.1]
var l = msg.length/4 + 2; // length (in 32-bit integers) of msg + 1 + appended length
var N = Math.ceil(l/16); // number of 16-integer-blocks required to hold 'l' ints
var M = new Array(N);
for (var i=0; i<N; i++) {
M[i] = new Array(16);
for (var j=0; j<16; j++) { // encode 4 chars per integer, big-endian encoding
M[i][j] = (msg.charCodeAt(i*64+j*4)<<24) | (msg.charCodeAt(i*64+j*4+1)<<16) |
(msg.charCodeAt(i*64+j*4+2)<<8) | (msg.charCodeAt(i*64+j*4+3));
} // note running off the end of msg is ok 'cos bitwise ops on NaN return 0
}
// add length (in bits) into final pair of 32-bit integers (big-endian) [§5.1.1]
// note: most significant word would be (len-1)*8 >>> 32, but since JS converts
// bitwise-op args to 32 bits, we need to simulate this by arithmetic operators
M[N-1][14] = ((msg.length-1)*8) / Math.pow(2, 32); M[N-1][14] = Math.floor(M[N-1][14]);
M[N-1][15] = ((msg.length-1)*8) & 0xffffffff;
// HASH COMPUTATION [§6.1.2]
var W = new Array(64); var a, b, c, d, e, f, g, h;
for (var i=0; i<N; i++) {
// 1 - prepare message schedule 'W'
for (var t=0; t<16; t++) W[t] = M[i][t];
for (var t=16; t<64; t++) W[t] = (Sha256.σ1(W[t-2]) + W[t-7] + Sha256.σ0(W[t-15]) + W[t-16]) & 0xffffffff;
// 2 - initialise working variables a, b, c, d, e, f, g, h with previous hash value
a = H[0]; b = H[1]; c = H[2]; d = H[3]; e = H[4]; f = H[5]; g = H[6]; h = H[7];
// 3 - main loop (note 'addition modulo 2^32')
for (var t=0; t<64; t++) {
var T1 = h + Sha256.Σ1(e) + Sha256.Ch(e, f, g) + K[t] + W[t];
var T2 = Sha256.Σ0(a) + Sha256.Maj(a, b, c);
h = g;
g = f;
f = e;
e = (d + T1) & 0xffffffff;
d = c;
c = b;
b = a;
a = (T1 + T2) & 0xffffffff;
}
// 4 - compute the new intermediate hash value (note 'addition modulo 2^32')
H[0] = (H[0]+a) & 0xffffffff;
H[1] = (H[1]+b) & 0xffffffff;
H[2] = (H[2]+c) & 0xffffffff;
H[3] = (H[3]+d) & 0xffffffff;
H[4] = (H[4]+e) & 0xffffffff;
H[5] = (H[5]+f) & 0xffffffff;
H[6] = (H[6]+g) & 0xffffffff;
H[7] = (H[7]+h) & 0xffffffff;
}
return Sha256.toHexStr(H[0]) + Sha256.toHexStr(H[1]) + Sha256.toHexStr(H[2]) + Sha256.toHexStr(H[3]) +
Sha256.toHexStr(H[4]) + Sha256.toHexStr(H[5]) + Sha256.toHexStr(H[6]) + Sha256.toHexStr(H[7]);
};
/**
* Rotates right (circular right shift) value x by n positions [§3.2.4].
* @private
*/
Sha256.ROTR = function(n, x) {
return (x >>> n) | (x << (32-n));
};
/**
* Logical functions [§4.1.2].
* @private
*/
Sha256.Σ0 = function(x) { return Sha256.ROTR(2, x) ^ Sha256.ROTR(13, x) ^ Sha256.ROTR(22, x); };
Sha256.Σ1 = function(x) { return Sha256.ROTR(6, x) ^ Sha256.ROTR(11, x) ^ Sha256.ROTR(25, x); };
Sha256.σ0 = function(x) { return Sha256.ROTR(7, x) ^ Sha256.ROTR(18, x) ^ (x>>>3); };
Sha256.σ1 = function(x) { return Sha256.ROTR(17, x) ^ Sha256.ROTR(19, x) ^ (x>>>10); };
Sha256.Ch = function(x, y, z) { return (x & y) ^ (~x & z); };
Sha256.Maj = function(x, y, z) { return (x & y) ^ (x & z) ^ (y & z); };
/**
* Hexadecimal representation of a number.
* @private
*/
Sha256.toHexStr = function(n) {
// note can't use toString(16) as it is implementation-dependant,
// and in IE returns signed numbers when used on full words
var s='', v;
for (var i=7; i>=0; i--) { v = (n>>>(i*4)) & 0xf; s += v.toString(16); }
return s;
};
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
/** Extend String object with method to encode multi-byte string to utf8
* - monsur.hossa.in/2012/07/20/utf-8-in-javascript.html */
if (typeof String.prototype.utf8Encode == 'undefined') {
String.prototype.utf8Encode = function() {
return unescape( encodeURIComponent( this ) );
};
}
/** Extend String object with method to decode utf8 string to multi-byte */
if (typeof String.prototype.utf8Decode == 'undefined') {
String.prototype.utf8Decode = function() {
try {
return decodeURIComponent( escape( this ) );
} catch (e) {
return this; // invalid UTF-8? return as-is
}
};
}
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
if (typeof module != 'undefined' && module.exports) module.exports = Sha256; // CommonJs export
if (typeof define == 'function' && define.amd) define([], function() { return Sha256; }); // AMD
////////////////////////////////////////////////////////////////////
///////////// IdentityServer JS Code Starts here ///////////////////
////////////////////////////////////////////////////////////////////
function getCookies() {
var allCookies = document.cookie;
var cookies = allCookies.split(';');
return cookies.map(function(value) {
var parts = value.trim().split('=');
if (parts.length === 2) {
return {
name: parts[0].trim(),
value: parts[1].trim()
};
}
}).filter(function(item) {
return item && item.name && item.value;
});
}
function getBrowserSessionId() {
var cookies = getCookies().filter(function(cookie) {
return (cookie.name === cookieName);
});
// empty string represents anonymous sid
return (cookies[0] && cookies[0].value) || '';
}
/*! (c) Tom Wu | http://www-cs-students.stanford.edu/~tjw/jsbn/ */
var b64map = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
var b64pad = '=';
function hex2b64(h) {
var i;
var c;
var ret = '';
for (i = 0; i + 3 <= h.length; i += 3) {
c = parseInt(h.substring(i, i + 3), 16);
ret += b64map.charAt(c >> 6) + b64map.charAt(c & 63);
}
if (i + 1 == h.length) {
c = parseInt(h.substring(i, i + 1), 16);
ret += b64map.charAt(c << 2);
}
else if (i + 2 == h.length) {
c = parseInt(h.substring(i, i + 2), 16);
ret += b64map.charAt(c >> 2) + b64map.charAt((c & 3) << 4);
}
if (b64pad) while ((ret.length & 3) > 0) ret += b64pad;
return ret;
}
function base64UrlEncode(s){
var val = hex2b64(s);
val = val.replace(/=/g, ''); // Remove any trailing '='s
val = val.replace(/\+/g, '-'); // '+' => '-'
val = val.replace(/\//g, '_'); // '/' => '_'
return val;
}
function hash(value) {
var hash = Sha256.hash(value);
return base64UrlEncode(hash);
}
function computeSessionStateHash(clientId, origin, sessionId, salt) {
return hash(clientId + origin + sessionId + salt);
}
function calculateSessionStateResult(origin, message) {
try {
if (!origin || !message) {
return 'error';
}
var idx = message.lastIndexOf(' ');
if (idx < 0 || idx >= message.length) {
return 'error';
}
var clientId = message.substring(0, idx);
var sessionState = message.substring(idx + 1);
if (!clientId || !sessionState) {
return 'error';
}
var sessionStateParts = sessionState.split('.');
if (sessionStateParts.length !== 2) {
return 'error';
}
var clientHash = sessionStateParts[0];
var salt = sessionStateParts[1];
if (!clientHash || !salt) {
return 'error';
}
var currentSessionId = getBrowserSessionId();
var expectedHash = computeSessionStateHash(clientId, origin, currentSessionId, salt);
return clientHash === expectedHash ? 'unchanged' : 'changed';
}
catch (e) {
return 'error';
}
}
var cookieNameElem = document.getElementById('cookie-name');
if (cookieNameElem) {
var cookieName = cookieNameElem.textContent.trim();
}
if (cookieName && window.parent !== window) {
window.addEventListener('message', function(e) {
if (window === e.source) {
// ignore browser extensions that are sending messages.
return;
}
if (typeof e.data !== 'string') {
return;
}
var result = calculateSessionStateResult(e.origin, e.data);
e.source.postMessage(result, e.origin);
}, false);
}
</script>
<script>{script}</script>
</body>
</html>
";

296
identity-server/src/IdentityServer/Endpoints/Results/check-session-result.js vendored Normal file
View file

@ -0,0 +1,296 @@
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
/* SHA-256 implementation in JavaScript (c) Chris Veness 2002-2014 / MIT Licence */
/* */
/* - see http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html */
/* http://csrc.nist.gov/groups/ST/toolkit/examples.html */
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
/* jshint node:true *//* global define, escape, unescape */
'use strict';
/**
* SHA-256 hash function reference implementation.
*
* @namespace
*/
var Sha256 = {};
/**
* Generates SHA-256 hash of string.
*
* @param {string} msg - String to be hashed
* @returns {string} Hash of msg as hex character string
*/
Sha256.hash = function(msg) {
// convert string to UTF-8, as SHA only deals with byte-streams
msg = msg.utf8Encode();
// constants [§4.2.2]
var K = [
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 ];
// initial hash value [§5.3.1]
var H = [
0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19 ];
// PREPROCESSING
msg += String.fromCharCode(0x80); // add trailing '1' bit (+ 0's padding) to string [§5.1.1]
// convert string msg into 512-bit/16-integer blocks arrays of ints [§5.2.1]
var l = msg.length/4 + 2; // length (in 32-bit integers) of msg + 1 + appended length
var N = Math.ceil(l/16); // number of 16-integer-blocks required to hold 'l' ints
var M = new Array(N);
for (var i=0; i<N; i++) {
M[i] = new Array(16);
for (var j=0; j<16; j++) { // encode 4 chars per integer, big-endian encoding
M[i][j] = (msg.charCodeAt(i*64+j*4)<<24) | (msg.charCodeAt(i*64+j*4+1)<<16) |
(msg.charCodeAt(i*64+j*4+2)<<8) | (msg.charCodeAt(i*64+j*4+3));
} // note running off the end of msg is ok 'cos bitwise ops on NaN return 0
}
// add length (in bits) into final pair of 32-bit integers (big-endian) [§5.1.1]
// note: most significant word would be (len-1)*8 >>> 32, but since JS converts
// bitwise-op args to 32 bits, we need to simulate this by arithmetic operators
M[N-1][14] = ((msg.length-1)*8) / Math.pow(2, 32); M[N-1][14] = Math.floor(M[N-1][14]);
M[N-1][15] = ((msg.length-1)*8) & 0xffffffff;
// HASH COMPUTATION [§6.1.2]
var W = new Array(64); var a, b, c, d, e, f, g, h;
for (var i=0; i<N; i++) {
// 1 - prepare message schedule 'W'
for (var t=0; t<16; t++) W[t] = M[i][t];
for (var t=16; t<64; t++) W[t] = (Sha256.σ1(W[t-2]) + W[t-7] + Sha256.σ0(W[t-15]) + W[t-16]) & 0xffffffff;
// 2 - initialise working variables a, b, c, d, e, f, g, h with previous hash value
a = H[0]; b = H[1]; c = H[2]; d = H[3]; e = H[4]; f = H[5]; g = H[6]; h = H[7];
// 3 - main loop (note 'addition modulo 2^32')
for (var t=0; t<64; t++) {
var T1 = h + Sha256.Σ1(e) + Sha256.Ch(e, f, g) + K[t] + W[t];
var T2 = Sha256.Σ0(a) + Sha256.Maj(a, b, c);
h = g;
g = f;
f = e;
e = (d + T1) & 0xffffffff;
d = c;
c = b;
b = a;
a = (T1 + T2) & 0xffffffff;
}
// 4 - compute the new intermediate hash value (note 'addition modulo 2^32')
H[0] = (H[0]+a) & 0xffffffff;
H[1] = (H[1]+b) & 0xffffffff;
H[2] = (H[2]+c) & 0xffffffff;
H[3] = (H[3]+d) & 0xffffffff;
H[4] = (H[4]+e) & 0xffffffff;
H[5] = (H[5]+f) & 0xffffffff;
H[6] = (H[6]+g) & 0xffffffff;
H[7] = (H[7]+h) & 0xffffffff;
}
return Sha256.toHexStr(H[0]) + Sha256.toHexStr(H[1]) + Sha256.toHexStr(H[2]) + Sha256.toHexStr(H[3]) +
Sha256.toHexStr(H[4]) + Sha256.toHexStr(H[5]) + Sha256.toHexStr(H[6]) + Sha256.toHexStr(H[7]);
};
/**
* Rotates right (circular right shift) value x by n positions [§3.2.4].
* @private
*/
Sha256.ROTR = function(n, x) {
return (x >>> n) | (x << (32-n));
};
/**
* Logical functions [§4.1.2].
* @private
*/
Sha256.Σ0 = function(x) { return Sha256.ROTR(2, x) ^ Sha256.ROTR(13, x) ^ Sha256.ROTR(22, x); };
Sha256.Σ1 = function(x) { return Sha256.ROTR(6, x) ^ Sha256.ROTR(11, x) ^ Sha256.ROTR(25, x); };
Sha256.σ0 = function(x) { return Sha256.ROTR(7, x) ^ Sha256.ROTR(18, x) ^ (x>>>3); };
Sha256.σ1 = function(x) { return Sha256.ROTR(17, x) ^ Sha256.ROTR(19, x) ^ (x>>>10); };
Sha256.Ch = function(x, y, z) { return (x & y) ^ (~x & z); };
Sha256.Maj = function(x, y, z) { return (x & y) ^ (x & z) ^ (y & z); };
/**
* Hexadecimal representation of a number.
* @private
*/
Sha256.toHexStr = function(n) {
// note can't use toString(16) as it is implementation-dependant,
// and in IE returns signed numbers when used on full words
var s='', v;
for (var i=7; i>=0; i--) { v = (n>>>(i*4)) & 0xf; s += v.toString(16); }
return s;
};
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
/** Extend String object with method to encode multi-byte string to utf8
* - monsur.hossa.in/2012/07/20/utf-8-in-javascript.html */
if (typeof String.prototype.utf8Encode == 'undefined') {
String.prototype.utf8Encode = function() {
return unescape( encodeURIComponent( this ) );
};
}
/** Extend String object with method to decode utf8 string to multi-byte */
if (typeof String.prototype.utf8Decode == 'undefined') {
String.prototype.utf8Decode = function() {
try {
return decodeURIComponent( escape( this ) );
} catch (e) {
return this; // invalid UTF-8? return as-is
}
};
}
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
if (typeof module != 'undefined' && module.exports) module.exports = Sha256; // CommonJs export
if (typeof define == 'function' && define.amd) define([], function() { return Sha256; }); // AMD
////////////////////////////////////////////////////////////////////
///////////// IdentityServer JS Code Starts here ///////////////////
////////////////////////////////////////////////////////////////////
function getCookies() {
var allCookies = document.cookie;
var cookies = allCookies.split(';');
return cookies.map(function(value) {
var parts = value.trim().split('=');
if (parts.length === 2) {
return {
name: parts[0].trim(),
value: parts[1].trim()
};
}
}).filter(function(item) {
return item && item.name && item.value;
});
}
function getBrowserSessionId() {
var cookies = getCookies().filter(function(cookie) {
return (cookie.name === cookieName);
});
// empty string represents anonymous sid
return (cookies[0] && cookies[0].value) || '';
}
/*! (c) Tom Wu | http://www-cs-students.stanford.edu/~tjw/jsbn/ */
var b64map = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
var b64pad = '=';
function hex2b64(h) {
var i;
var c;
var ret = '';
for (i = 0; i + 3 <= h.length; i += 3) {
c = parseInt(h.substring(i, i + 3), 16);
ret += b64map.charAt(c >> 6) + b64map.charAt(c & 63);
}
if (i + 1 == h.length) {
c = parseInt(h.substring(i, i + 1), 16);
ret += b64map.charAt(c << 2);
}
else if (i + 2 == h.length) {
c = parseInt(h.substring(i, i + 2), 16);
ret += b64map.charAt(c >> 2) + b64map.charAt((c & 3) << 4);
}
if (b64pad) while ((ret.length & 3) > 0) ret += b64pad;
return ret;
}
function base64UrlEncode(s){
var val = hex2b64(s);
val = val.replace(/=/g, ''); // Remove any trailing '='s
val = val.replace(/\+/g, '-'); // '+' => '-'
val = val.replace(/\//g, '_'); // '/' => '_'
return val;
}
function hash(value) {
var hash = Sha256.hash(value);
return base64UrlEncode(hash);
}
function computeSessionStateHash(clientId, origin, sessionId, salt) {
return hash(clientId + origin + sessionId + salt);
}
function calculateSessionStateResult(origin, message) {
try {
if (!origin || !message) {
return 'error';
}
var idx = message.lastIndexOf(' ');
if (idx < 0 || idx >= message.length) {
return 'error';
}
var clientId = message.substring(0, idx);
var sessionState = message.substring(idx + 1);
if (!clientId || !sessionState) {
return 'error';
}
var sessionStateParts = sessionState.split('.');
if (sessionStateParts.length !== 2) {
return 'error';
}
var clientHash = sessionStateParts[0];
var salt = sessionStateParts[1];
if (!clientHash || !salt) {
return 'error';
}
var currentSessionId = getBrowserSessionId();
var expectedHash = computeSessionStateHash(clientId, origin, currentSessionId, salt);
return clientHash === expectedHash ? 'unchanged' : 'changed';
}
catch (e) {
return 'error';
}
}
var cookieNameElem = document.getElementById('cookie-name');
if (cookieNameElem) {
var cookieName = cookieNameElem.textContent.trim();
}
if (cookieName && window.parent !== window) {
window.addEventListener('message', function(e) {
if (window === e.source) {
// ignore browser extensions that are sending messages.
return;
}
if (typeof e.data !== 'string') {
return;
}
var result = calculateSessionStateResult(e.origin, e.data);
e.source.postMessage(result, e.origin);
}, false);
}

2
identity-server/src/IdentityServer/IdentityServerConstants.cs
View file

@ -235,7 +235,7 @@ public static class IdentityServerConstants
/// <summary>
/// The hash of the inline script used on the check session endpoint.
/// </summary>
public const string CheckSessionScript = "sha256-4Hj97GNFvt0k8A6DbSr2hoRb/RJmCCakAgE+4zuVeHs=";
public const string CheckSessionScript = "sha256-jyguj/c+mxOUX7TJrFnIkEQlj4jinO1nejo8qnuF1jc=";
}
public static class ProtocolRoutePaths