geforkt von mirrored/vaultwarden
Allow FireFox relay in CSP.
This PR is needed for https://github.com/dani-garcia/bw_web_builds/pull/71 Without this the web-vault will refuse to make calls to the FireFox Relay API. Also fixed a small issue with the pre-commit config.
Dieser Commit ist enthalten in:
Ursprung
887e320e7f
Commit
006a2aacbb
2 geänderte Dateien mit 16 neuen und 8 gelöschten Zeilen
|
@ -26,8 +26,8 @@ repos:
|
||||||
entry: cargo test
|
entry: cargo test
|
||||||
language: system
|
language: system
|
||||||
args: ["--features", "sqlite,mysql,postgresql,enable_mimalloc", "--"]
|
args: ["--features", "sqlite,mysql,postgresql,enable_mimalloc", "--"]
|
||||||
types_or: [file, rust]
|
types_or: [rust, file]
|
||||||
files: (Cargo.toml|Cargo.lock)
|
files: (Cargo.toml|Cargo.lock|.*\.rs$)
|
||||||
pass_filenames: false
|
pass_filenames: false
|
||||||
- id: cargo-clippy
|
- id: cargo-clippy
|
||||||
name: cargo clippy
|
name: cargo clippy
|
||||||
|
@ -35,6 +35,6 @@ repos:
|
||||||
entry: cargo clippy
|
entry: cargo clippy
|
||||||
language: system
|
language: system
|
||||||
args: ["--features", "sqlite,mysql,postgresql,enable_mimalloc", "--", "-D", "warnings"]
|
args: ["--features", "sqlite,mysql,postgresql,enable_mimalloc", "--", "-D", "warnings"]
|
||||||
types_or: [file, rust]
|
types_or: [rust, file]
|
||||||
files: (Cargo.toml|Cargo.lock)
|
files: (Cargo.toml|Cargo.lock|.*\.rs$)
|
||||||
pass_filenames: false
|
pass_filenames: false
|
||||||
|
|
12
src/util.rs
12
src/util.rs
|
@ -50,17 +50,25 @@ impl Fairing for AppHeaders {
|
||||||
// This can cause issues when some MFA requests needs to open a popup or page within the clients like WebAuthn, or Duo.
|
// This can cause issues when some MFA requests needs to open a popup or page within the clients like WebAuthn, or Duo.
|
||||||
// This is the same behaviour as upstream Bitwarden.
|
// This is the same behaviour as upstream Bitwarden.
|
||||||
if !req_uri_path.ends_with("connector.html") {
|
if !req_uri_path.ends_with("connector.html") {
|
||||||
let csp = format!(
|
// # Frame Ancestors:
|
||||||
// Chrome Web Store: https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb
|
// Chrome Web Store: https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb
|
||||||
// Edge Add-ons: https://microsoftedge.microsoft.com/addons/detail/bitwarden-free-password/jbkfoedolllekgbhcbcoahefnbanhhlh?hl=en-US
|
// Edge Add-ons: https://microsoftedge.microsoft.com/addons/detail/bitwarden-free-password/jbkfoedolllekgbhcbcoahefnbanhhlh?hl=en-US
|
||||||
// Firefox Browser Add-ons: https://addons.mozilla.org/en-US/firefox/addon/bitwarden-password-manager/
|
// Firefox Browser Add-ons: https://addons.mozilla.org/en-US/firefox/addon/bitwarden-password-manager/
|
||||||
|
// # img/child/frame src:
|
||||||
|
// Have I Been Pwned and Gravator to allow those calls to work.
|
||||||
|
// # Connect src:
|
||||||
|
// Leaked Passwords check: api.pwnedpasswords.com
|
||||||
|
// 2FA/MFA Site check: 2fa.directory
|
||||||
|
// # Mail Relay: https://bitwarden.com/blog/add-privacy-and-security-using-email-aliases-with-bitwarden/
|
||||||
|
// app.simplelogin.io, app.anonaddy.com, relay.firefox.com
|
||||||
|
let csp = format!(
|
||||||
"default-src 'self'; \
|
"default-src 'self'; \
|
||||||
script-src 'self'{script_src}; \
|
script-src 'self'{script_src}; \
|
||||||
style-src 'self' 'unsafe-inline'; \
|
style-src 'self' 'unsafe-inline'; \
|
||||||
img-src 'self' data: https://haveibeenpwned.com/ https://www.gravatar.com; \
|
img-src 'self' data: https://haveibeenpwned.com/ https://www.gravatar.com; \
|
||||||
child-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
|
child-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
|
||||||
frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
|
frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
|
||||||
connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/ https://app.anonaddy.com/api/; \
|
connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/ https://app.anonaddy.com/api/ https://relay.firefox.com/api/; \
|
||||||
object-src 'self' blob:; \
|
object-src 'self' blob:; \
|
||||||
frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* {};",
|
frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* {};",
|
||||||
CONFIG.allowed_iframe_ancestors()
|
CONFIG.allowed_iframe_ancestors()
|
||||||
|
|
Laden …
In neuem Issue referenzieren