mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2025-01-07 01:00:08 -05:00
Allow adding connect-src entries (#5293)
Bitwarden allows to use self-hosted forwarded email services. But for this to work you need to add custom URL's to the `connect-src` CSP entry. This commit allows setting this and checks if the URL starts with `https://` else it will abort loading. Fixes #5290 Signed-off-by: BlackDex <black.dex@gmail.com>
This commit is contained in:
parent
9cd400db6c
commit
4d6d3443ae
3 changed files with 22 additions and 2 deletions
|
@ -410,6 +410,14 @@
|
||||||
## Multiple values must be separated with a whitespace.
|
## Multiple values must be separated with a whitespace.
|
||||||
# ALLOWED_IFRAME_ANCESTORS=
|
# ALLOWED_IFRAME_ANCESTORS=
|
||||||
|
|
||||||
|
## Allowed connect-src (Know the risks!)
|
||||||
|
## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
|
||||||
|
## Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature
|
||||||
|
## This adds the configured value to the 'Content-Security-Policy' headers 'connect-src' value.
|
||||||
|
## Multiple values must be separated with a whitespace. And only HTTPS values are allowed.
|
||||||
|
## Example: "https://my-addy-io.domain.tld https://my-simplelogin.domain.tld"
|
||||||
|
# ALLOWED_CONNECT_SRC=""
|
||||||
|
|
||||||
## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in.
|
## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in.
|
||||||
# LOGIN_RATELIMIT_SECONDS=60
|
# LOGIN_RATELIMIT_SECONDS=60
|
||||||
## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`.
|
## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`.
|
||||||
|
|
|
@ -238,6 +238,7 @@ macro_rules! make_config {
|
||||||
// Besides Pass, only String types will be masked via _privacy_mask.
|
// Besides Pass, only String types will be masked via _privacy_mask.
|
||||||
const PRIVACY_CONFIG: &[&str] = &[
|
const PRIVACY_CONFIG: &[&str] = &[
|
||||||
"allowed_iframe_ancestors",
|
"allowed_iframe_ancestors",
|
||||||
|
"allowed_connect_src",
|
||||||
"database_url",
|
"database_url",
|
||||||
"domain_origin",
|
"domain_origin",
|
||||||
"domain_path",
|
"domain_path",
|
||||||
|
@ -610,6 +611,9 @@ make_config! {
|
||||||
/// Allowed iframe ancestors (Know the risks!) |> Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets
|
/// Allowed iframe ancestors (Know the risks!) |> Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets
|
||||||
allowed_iframe_ancestors: String, true, def, String::new();
|
allowed_iframe_ancestors: String, true, def, String::new();
|
||||||
|
|
||||||
|
/// Allowed connect-src (Know the risks!) |> Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature
|
||||||
|
allowed_connect_src: String, true, def, String::new();
|
||||||
|
|
||||||
/// Seconds between login requests |> Number of seconds, on average, between login and 2FA requests from the same IP address before rate limiting kicks in
|
/// Seconds between login requests |> Number of seconds, on average, between login and 2FA requests from the same IP address before rate limiting kicks in
|
||||||
login_ratelimit_seconds: u64, false, def, 60;
|
login_ratelimit_seconds: u64, false, def, 60;
|
||||||
/// Max burst size for login requests |> Allow a burst of requests of up to this size, while maintaining the average indicated by `login_ratelimit_seconds`. Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2
|
/// Max burst size for login requests |> Allow a burst of requests of up to this size, while maintaining the average indicated by `login_ratelimit_seconds`. Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2
|
||||||
|
@ -761,6 +765,13 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
let connect_src = cfg.allowed_connect_src.to_lowercase();
|
||||||
|
for url in connect_src.split_whitespace() {
|
||||||
|
if !url.starts_with("https://") || Url::parse(url).is_err() {
|
||||||
|
err!("ALLOWED_CONNECT_SRC variable contains one or more invalid URLs. Only FQDN's starting with https are allowed");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
let whitelist = &cfg.signups_domains_whitelist;
|
let whitelist = &cfg.signups_domains_whitelist;
|
||||||
if !whitelist.is_empty() && whitelist.split(',').any(|d| d.trim().is_empty()) {
|
if !whitelist.is_empty() && whitelist.split(',').any(|d| d.trim().is_empty()) {
|
||||||
err!("`SIGNUPS_DOMAINS_WHITELIST` contains empty tokens");
|
err!("`SIGNUPS_DOMAINS_WHITELIST` contains empty tokens");
|
||||||
|
|
|
@ -98,10 +98,11 @@ impl Fairing for AppHeaders {
|
||||||
https://app.addy.io/api/ \
|
https://app.addy.io/api/ \
|
||||||
https://api.fastmail.com/ \
|
https://api.fastmail.com/ \
|
||||||
https://api.forwardemail.net \
|
https://api.forwardemail.net \
|
||||||
;\
|
{allowed_connect_src};\
|
||||||
",
|
",
|
||||||
icon_service_csp = CONFIG._icon_service_csp(),
|
icon_service_csp = CONFIG._icon_service_csp(),
|
||||||
allowed_iframe_ancestors = CONFIG.allowed_iframe_ancestors()
|
allowed_iframe_ancestors = CONFIG.allowed_iframe_ancestors(),
|
||||||
|
allowed_connect_src = CONFIG.allowed_connect_src(),
|
||||||
);
|
);
|
||||||
res.set_raw_header("Content-Security-Policy", csp);
|
res.set_raw_header("Content-Security-Policy", csp);
|
||||||
res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
|
res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
|
||||||
|
|
Loading…
Reference in a new issue