I'am currently using Pac4J in combination with SAML2 and that works fine unless 'Content-Security-Policy' are being applied.
When the Content-Security-Policy are being applied and i access a secure URL within the browser an empty page is shown. The actual HTML of the page contains a simple form which should automatically post the AuthRequest to the identity provider. But this post is not allowed due to the 'Content-Security-Policy'.
With the 'unsafe-inline' option of Content-Security-Policy i would probably be able to fix it but i prefer not to use 'unsafe-inline'. Another approach could be to use 'unsafe-hashes' but according to https://content-security-policy.com/unsafe-hashes/ it should preferable not be used.
Within the Pac4jHTTPPostEncoder i could change the velocity template and provide my own template which uses a <script> instead and than use the hash functionality (https://content-security-policy.com/hash/). But it's rather hard to change the settings on the Pac4jHTTPPostEncoder because this class is used within a private method in the AbstractSAML2MessageSender.
Maybe there is a better solution than changing the velocity template and changing the pac4j code. If anyone have some idea i would appreciate it.
Version of pac4j is 5.3.1
Kind regards,
Richard
