...
Prior to V5.1, the default value of the idp.csp property was set to frame-ancestors 'none', essentially just blocking frames. V5.1 adds other CSP declarations that should generally be risk-free to apply and this was done by default, so it applies to any systems not overriding the property. The default rules are intended to work regardless of (expected) changes to the views and do not specifically disallow any Javascript or CSP behavior.
Use in OpenSAML Binding Templates
While many deployers may override them, by default the templates used to carry SAML messages in forms for the non-redirect-based bindings are internal to the OpenSAML library. To allow use (or non-use) of CSP with the default templates, the idp.encoders.cspEnabled property was added to control this. It does default to true, so has to be set to false by hand to disable the new feature. Depending on how much of the templates are overridden, the property may or may not be applicable or effective.
Use in Views
The bulk of this “feature” has to do with supplying tools to make it practical to markup the use of Javascript in views. To that end, two new Spring beans were added to provide support for generating hashes and nonces:
...