SLO and Content-Security-Policy Header

Not a question but an observation on something that took me a day to track down and might save someone some hair. I had set up a test identity provider (basically the ASP.NET ExampleIdentityProvider) and was trying to get my ASP.NET application to use it. SSO was straightforward. SLO hit a problem in that the request to the IdP to SLO just disappeared BUT only when using Chrome - things were fine in IE11. To cut a long, boring story short: I’d forgotten my application had set the Content-Security-Policy security header IIS and this was causing Chrome to block the SLO request. (Fiddler was my friend here.) IE11 obviously isn’t so strict in handling this new header. Turning it off and SLO springs nicely to life. If I ever get the particular incantation of this header that allows SLO and keeps things secure I’ll let you know.

Best wishes,
Kevin Waite

Thanks Kevin for this very useful information.
Here’s a handy link on Content Security Policy header.