From 006a2aacbbb31736edb67b5887842813728daf38 Mon Sep 17 00:00:00 2001 From: BlackDex Date: Mon, 20 Jun 2022 16:26:41 +0200 Subject: [PATCH] Allow FireFox relay in CSP. This PR is needed for https://github.com/dani-garcia/bw_web_builds/pull/71 Without this the web-vault will refuse to make calls to the FireFox Relay API. Also fixed a small issue with the pre-commit config. --- .pre-commit-config.yaml | 8 ++++---- src/util.rs | 16 ++++++++++++---- 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8f31035a..eb44b47f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -26,8 +26,8 @@ repos: entry: cargo test language: system args: ["--features", "sqlite,mysql,postgresql,enable_mimalloc", "--"] - types_or: [file, rust] - files: (Cargo.toml|Cargo.lock) + types_or: [rust, file] + files: (Cargo.toml|Cargo.lock|.*\.rs$) pass_filenames: false - id: cargo-clippy name: cargo clippy @@ -35,6 +35,6 @@ repos: entry: cargo clippy language: system args: ["--features", "sqlite,mysql,postgresql,enable_mimalloc", "--", "-D", "warnings"] - types_or: [file, rust] - files: (Cargo.toml|Cargo.lock) + types_or: [rust, file] + files: (Cargo.toml|Cargo.lock|.*\.rs$) pass_filenames: false diff --git a/src/util.rs b/src/util.rs index 55208aeb..82cb328e 100644 --- a/src/util.rs +++ b/src/util.rs @@ -50,17 +50,25 @@ impl Fairing for AppHeaders { // This can cause issues when some MFA requests needs to open a popup or page within the clients like WebAuthn, or Duo. // This is the same behaviour as upstream Bitwarden. if !req_uri_path.ends_with("connector.html") { + // # Frame Ancestors: + // Chrome Web Store: https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb + // Edge Add-ons: https://microsoftedge.microsoft.com/addons/detail/bitwarden-free-password/jbkfoedolllekgbhcbcoahefnbanhhlh?hl=en-US + // Firefox Browser Add-ons: https://addons.mozilla.org/en-US/firefox/addon/bitwarden-password-manager/ + // # img/child/frame src: + // Have I Been Pwned and Gravator to allow those calls to work. + // # Connect src: + // Leaked Passwords check: api.pwnedpasswords.com + // 2FA/MFA Site check: 2fa.directory + // # Mail Relay: https://bitwarden.com/blog/add-privacy-and-security-using-email-aliases-with-bitwarden/ + // app.simplelogin.io, app.anonaddy.com, relay.firefox.com let csp = format!( - // Chrome Web Store: https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb - // Edge Add-ons: https://microsoftedge.microsoft.com/addons/detail/bitwarden-free-password/jbkfoedolllekgbhcbcoahefnbanhhlh?hl=en-US - // Firefox Browser Add-ons: https://addons.mozilla.org/en-US/firefox/addon/bitwarden-password-manager/ "default-src 'self'; \ script-src 'self'{script_src}; \ style-src 'self' 'unsafe-inline'; \ img-src 'self' data: https://haveibeenpwned.com/ https://www.gravatar.com; \ child-src 'self' https://*.duosecurity.com https://*.duofederal.com; \ frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; \ - connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/ https://app.anonaddy.com/api/; \ + connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/ https://app.anonaddy.com/api/ https://relay.firefox.com/api/; \ object-src 'self' blob:; \ frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* {};", CONFIG.allowed_iframe_ancestors()