From 037eb0b790b06ebeeead9f9ff9fe802dc05db1e0 Mon Sep 17 00:00:00 2001
From: dheimerl <34488243+dheimerl@users.noreply.github.com>
Date: Sat, 15 Dec 2018 13:23:07 -0600
Subject: [PATCH 1/3] Update web.rs

Add frame-ancestors to allow U2F to work in Chrome (and possibly Firefox) extension
---
 src/api/web.rs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/api/web.rs b/src/api/web.rs
index 8db632a9..e395504d 100644
--- a/src/api/web.rs
+++ b/src/api/web.rs
@@ -56,6 +56,8 @@ impl<'r, R: Responder<'r>> Responder<'r> for WebHeaders<R> {
                 res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
                 res.set_raw_header("X-Content-Type-Options", "nosniff");
                 res.set_raw_header("X-XSS-Protection", "1; mode=block");
+                res.set_raw_header("Content-Security-Policy", "frame-ancestors chrome-extension://*");
+                res.set_raw_header("Content-Security-Policy", "frame-ancestors moz-extension://*");
 
                 Ok(res)
             },

From 7f7c9360493c863f7297222b32f49c408ea558e2 Mon Sep 17 00:00:00 2001
From: dheimerl <34488243+dheimerl@users.noreply.github.com>
Date: Mon, 17 Dec 2018 22:59:53 -0600
Subject: [PATCH 2/3] Fixed web.rs

---
 src/api/web.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/api/web.rs b/src/api/web.rs
index e395504d..31bfe3a0 100644
--- a/src/api/web.rs
+++ b/src/api/web.rs
@@ -56,8 +56,8 @@ impl<'r, R: Responder<'r>> Responder<'r> for WebHeaders<R> {
                 res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
                 res.set_raw_header("X-Content-Type-Options", "nosniff");
                 res.set_raw_header("X-XSS-Protection", "1; mode=block");
-                res.set_raw_header("Content-Security-Policy", "frame-ancestors chrome-extension://*");
-                res.set_raw_header("Content-Security-Policy", "frame-ancestors moz-extension://*");
+                let csp = "frame-ancestors chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://* ".to_owned() + &CONFIG.domain + ";";
+                res.set_raw_header("Content-Security-Policy", csp);
 
                 Ok(res)
             },

From 9a7d3634d5efb5bddfc7065f971eae467370813f Mon Sep 17 00:00:00 2001
From: dheimerl <34488243+dheimerl@users.noreply.github.com>
Date: Tue, 18 Dec 2018 10:19:35 -0600
Subject: [PATCH 3/3] Changed frame-ancestors to use 'self'

---
 src/api/web.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/api/web.rs b/src/api/web.rs
index 31bfe3a0..bcf41bd7 100644
--- a/src/api/web.rs
+++ b/src/api/web.rs
@@ -56,7 +56,7 @@ impl<'r, R: Responder<'r>> Responder<'r> for WebHeaders<R> {
                 res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
                 res.set_raw_header("X-Content-Type-Options", "nosniff");
                 res.set_raw_header("X-XSS-Protection", "1; mode=block");
-                let csp = "frame-ancestors chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://* ".to_owned() + &CONFIG.domain + ";";
+                let csp = "frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://*;";
                 res.set_raw_header("Content-Security-Policy", csp);
 
                 Ok(res)