nickslowinski/vaultwarden-test
1
0
Fork 0
geforkt von mirrored/vaultwarden
Code Pull-Requests Aktivität

Merge branch 'jjlin-csp'

Quellcode durchsuchen
Dieser Commit ist enthalten in:
Daniel García 2022-10-14 17:56:03 +02:00
Commit 736dbc9553
Es konnte kein GPG-Schlüssel zu dieser Signatur gefunden werden
GPG-Schlüssel-ID: FC8A7D14C3CD543A
1 geänderte Dateien mit 22 neuen und 7 gelöschten Zeilen
Statistiken anzeigen Patch-Datei herunterladen Diff-Datei herunterladen Alle Dateien ausklappen Alle Dateien einklappen

25
src/util.rs
Datei anzeigen

@ -60,17 +60,32 @@ impl Fairing for AppHeaders {
// Leaked Passwords check: api.pwnedpasswords.com // Leaked Passwords check: api.pwnedpasswords.com
// 2FA/MFA Site check: 2fa.directory // 2FA/MFA Site check: 2fa.directory
// # Mail Relay: https://bitwarden.com/blog/add-privacy-and-security-using-email-aliases-with-bitwarden/ // # Mail Relay: https://bitwarden.com/blog/add-privacy-and-security-using-email-aliases-with-bitwarden/
// app.simplelogin.io, app.anonaddy.com, api.fastmail.com // app.simplelogin.io, app.anonaddy.com, api.fastmail.com, quack.duckduckgo.com
let csp = format!( let csp = format!(
"default-src 'self'; \ "default-src 'self'; \
object-src 'self' blob:; \
script-src 'self'{script_src}; \ script-src 'self'{script_src}; \
style-src 'self' 'unsafe-inline'; \ style-src 'self' 'unsafe-inline'; \
img-src 'self' data: https://haveibeenpwned.com/ https://www.gravatar.com {icon_service_csp}; \
child-src 'self' https://*.duosecurity.com https://*.duofederal.com; \ child-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; \ frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/ https://app.anonaddy.com/api/ https://api.fastmail.com/; \ frame-ancestors 'self' \
object-src 'self' blob:; \ chrome-extension://nngceckbapebfimnlniiiahkandclblb \
frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* {allowed_iframe_ancestors};", chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh \
moz-extension://* \
{allowed_iframe_ancestors}; \
img-src 'self' data: \
https://haveibeenpwned.com/ \
https://www.gravatar.com \
{icon_service_csp}; \
connect-src 'self' \
https://api.pwnedpasswords.com/range/ \
https://2fa.directory/api/ \
https://app.simplelogin.io/api/ \
https://app.anonaddy.com/api/ \
https://api.fastmail.com/ \
https://quack.duckduckgo.com/api/email/ \
;\
",
icon_service_csp = CONFIG._icon_service_csp(), icon_service_csp = CONFIG._icon_service_csp(),
allowed_iframe_ancestors = CONFIG.allowed_iframe_ancestors() allowed_iframe_ancestors = CONFIG.allowed_iframe_ancestors()
); );