Hi, I’m integrating CAS (Apereo) with Moodle to handle centralized authentication and logout, and I encountered a complex issue related to Content Security Policy (CSP).
Context: I’m using CAS 7.1.5, configured to send FRONT_CHANNEL logout notifications to Moodle. This is classic JSONP: CAS expects Moodle to receive the script and execute it to end the client-side session (I'm using CasRegisteredService in MongoDB for Moodle). Problem: The browser blocks the JSONP script with the error: Refused to load the script 'https://localhost/moodle-virgen/login/logout.php?...' because it violates the Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval'". Diagnosis: Moodle by default does not send any CSP header. But when using plugins like local_csp, or setting headers at the server level (Apache), CSP becomes active. I tried injecting the header using a local plugin, but found that Moodle overrides or ignores it unless it’s injected from Apache. Final solution: I switched the logout request type from JSONP to JSON in casPropagateLogoutView.html: $.ajax({ url: [[${entry.key.logoutUrl}]], dataType: 'json', async: true, headers: {"Access-Control-Allow-Origin":"*"}, contentType: [[${entry.value.contentType}]], data: [[${entry.value.message}]], success: function (data) { var index = [[${iterStat.index}]]; var last = [[${iterStat.last}]]; if (last) { var urlRedirect = [[${logoutRedirectUrl}]]; setTimeout(function () { if (urlRedirect && urlRedirect !== '') { window.location.replace(urlRedirect); } }, 5000); } handleCallback(index, 200); }, error: function (err, textStatus, errorThrown) { var index = [[${iterStat.index}]]; var last = [[${iterStat.last}]]; if (last) { var urlRedirect = [[${logoutRedirectUrl}]]; setTimeout(function () { if (urlRedirect && urlRedirect !== '') { window.location.replace(urlRedirect); } }, 5000); } handleCallback(index, err.status); } }); Bonus: I also ran into this error: $(...).tooltip is not a function. It was caused because CAS tried to use Bootstrap's tooltip without loading bootstrap.js. Unrelated to CSP, but it came up during debugging. Has anyone else faced this? Would love to hear cleaner CSP-safe approaches to support logout notifications from CAS to Moodle. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7d58ebbe-c8c5-4b2a-a2e7-41348903156cn%40apereo.org.
