5

Azure B2C pages throw Content Security Policy error on click Next/Continue buttons on different steps in login/reset-password flows. If I type email (or without email) and click Next button on the first step of login then error is thrown, but if press Enter - no errors.

Image 1:

enter image description here

The reason of it is that, on the one hand, CSP on those pages doesn't allow using inline code but on the other hand there are some pieces of inline code inserted by Azure B2C. F.e. action="javascript:void(0)" in forms.

Image 2:

enter image description here

Debugging js code shows that there is a line of code that prevents calling this inline action ( action="javascript:void(0)") on pressing Enter and there is no such prevention on click Next button. There are several such places in forms on different steps.

This part of code is generated by Azure B2C. Changing CSP is not possible because it's set on Azure side also. In fact, this error doesn't block login flow but throws a lot of errors on each step

Does anybody have the same issue and suggestions how to avoid it?

M123
  • 1,203
  • 4
  • 14
  • 31
Andriy Bilyak
  • 51
  • 3

1 Answers1

2

Javascript navigation action="javascript:void(0)" is made to prevent accidental submission of the form because real submussion is performed by javascript after validation data.
Content Security Policy treats action="javascript:void(0)" as inline script and block it doing the same thing - the form submit prevention.
The logic of login Azure B2C pages is not violated, just an annoying message appears in the console.

The different behavior when you press Enter and press Next is due to the fact that one of the event handlers does not call event.preventDefault().

Therefore you can completely iognore this CSP error - nothing useful is blocked. This error is "on the conscience" of Azure AD B2B, you can change CSP or login form code, and adding 'unsafe-inline' leads to more destructive sequences (XSS capabilities). So Asure B2B chosen the lesser of evils.

Note: AFAIK you can create your "Custom page for authorization", maybe it will be free of this error.

granty
  • 7,234
  • 1
  • 14
  • 21
  • Yes, it's the correct description of the way how it works and what causes the error. The form is the part inserted by Azure and there is no access for modifying it. CSP also is set on the Azure side and it's not possible to overwrite it with a weaker policy and as you said this is a bad way to allow inline scripting also. My understanding is that the only possible way to fix it is adding `event.preventDefault()` in several places where it's missed by the Microsoft team. – Andriy Bilyak Nov 08 '21 at 09:19
  • 3
    In my case I got this error on my Signup flow and it blocks me from proceeding to signup my user. – Raffy Oct 20 '22 at 14:12