IdentityServer 7.4.0 has the wrong check session endpoint CSP Hash

[Tornhoof]

Repro:

1. Open Chrome Dev tools
2. Go to https://demo.duendesoftware.com/connect/checksession (your official page)
3. see Console Errors for checksession.

checksession:12 Executing inline script violates the following Content Security Policy directive 'script-src 'sha256-fa5rxHhZ799izGRP38+h4ud5QXNT0SFaFlh4eqDumBI=''. Either the 'unsafe-inline' keyword, a hash ('sha256-4Hj97GNFvt0k8A6DbSr2hoRb/RJmCCakAgE+4zuVeHs='), or a nonce ('nonce-...') is required to enable inline execution. The action has been blocked.

(the same happens on my own installation, that's where i noticed it)

[maartenba]

Thanks @Tornhoof ! Did a quick investigation and seems some whitespace was changed in the script and not reflected in the hashed constant. Discussing with the team 👍

[Tornhoof]

Yeah I saw the PR, good idea to add tests for it.
I don't really see a good way to prevent this from happening in the future, neither verbatim strings nor raw strings really prevent that, you could move the source file out of the type and put it as a resource, but that's kinda it, so the tests are a nice addition.

[maartenba]

We briefly contemplated moving the script out and do a source generator, but that seemed overkill for 1 instance (and potentially 3, for which we now have tests)

[Tornhoof]

Yup, makes sense.

[maartenba]

Fix is up - https://github.com/DuendeSoftware/products/releases/tag/is-7.4.1

[Tornhoof]

I can confirm that V7.4.1 has the correct csp hash.