Description

Keycloak's security headers functionality does not currently support the form-action, script-src, and style-src CSP directives. This enhancement:

• Adds support for form-action, script-src, style-src.
• Updates the default CSP to be much stronger.
• Defines a NonceBean to inject style and script nonces into FreeMarker templates.
• Updates built-in templates with nonces.
• Supports on-the-fly generation of CSP directives for the browser history helper, OIDC form redirect, OIDC iframe endpoints, and the SAML POST binding redirect.

Discussion

No response

Motivation

No response

Details

No response