From 8d1df08b81e1e0eea28e480de236dc0501674edc Mon Sep 17 00:00:00 2001 From: Mathijs van Veluw Date: Tue, 4 Feb 2025 13:20:32 +0100 Subject: [PATCH] Fix icon redirect not working on desktop (#5536) * Fix icon redirect not working on desktop We also need to exclude the header in case we do an external_icon call. Fixes #5535 Signed-off-by: BlackDex * Add informational comments to the icon_external function Signed-off-by: BlackDex * Fix spelling/grammar Signed-off-by: BlackDex --------- Signed-off-by: BlackDex --- src/api/icons.rs | 3 +++ src/util.rs | 12 ++++++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/src/api/icons.rs b/src/api/icons.rs index fc4e0ccf..0b437d53 100644 --- a/src/api/icons.rs +++ b/src/api/icons.rs @@ -63,6 +63,9 @@ static CLIENT: Lazy = Lazy::new(|| { // Build Regex only once since this takes a lot of time. static ICON_SIZE_REGEX: Lazy = Lazy::new(|| Regex::new(r"(?x)(\d+)\D*(\d+)").unwrap()); +// The function name `icon_external` is checked in the `on_response` function in `AppHeaders` +// It is used to prevent sending a specific header which breaks icon downloads. +// If this function needs to be renamed, also adjust the code in `util.rs` #[get("//icon.png")] fn icon_external(domain: &str) -> Option { if !is_valid_domain(domain) { diff --git a/src/util.rs b/src/util.rs index ecd079cf..1f8d1c27 100644 --- a/src/util.rs +++ b/src/util.rs @@ -56,13 +56,17 @@ impl Fairing for AppHeaders { res.set_raw_header("X-Content-Type-Options", "nosniff"); res.set_raw_header("X-Robots-Tag", "noindex, nofollow"); - if !res.headers().get_one("Content-Type").is_some_and(|v| v.starts_with("image/")) { - res.set_raw_header("Cross-Origin-Resource-Policy", "same-origin"); - } - // Obsolete in modern browsers, unsafe (XS-Leak), and largely replaced by CSP res.set_raw_header("X-XSS-Protection", "0"); + // The `Cross-Origin-Resource-Policy` header should not be set on images or on the `icon_external` route. + // Otherwise some clients, like the Bitwarden Desktop, will fail to download the icons + if !(res.headers().get_one("Content-Type").is_some_and(|v| v.starts_with("image/")) + || req.route().is_some_and(|v| v.name.as_deref() == Some("icon_external"))) + { + res.set_raw_header("Cross-Origin-Resource-Policy", "same-origin"); + } + // Do not send the Content-Security-Policy (CSP) Header and X-Frame-Options for the *-connector.html files. // This can cause issues when some MFA requests needs to open a popup or page within the clients like WebAuthn, or Duo. // This is the same behavior as upstream Bitwarden.