mirror of
https://github.com/bitwarden/server.git
synced 2024-12-26 17:37:36 +01:00
[PS-2416 and PS-2417] dont set CSP config value by default (#2667)
* dont set CSP config value by default * space
This commit is contained in:
parent
7e74695afc
commit
0e84678150
@ -76,13 +76,7 @@ public class Configuration
|
||||
[Description("Nginx Header Content-Security-Policy parameter\n" +
|
||||
"WARNING: Reconfiguring this parameter may break features. By changing this parameter\n" +
|
||||
"you become responsible for maintaining this value.")]
|
||||
public string NginxHeaderContentSecurityPolicy { get; set; } = "default-src 'self'; " +
|
||||
"script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; " +
|
||||
"img-src 'self' data: https://haveibeenpwned.com; " +
|
||||
"child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
|
||||
"frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
|
||||
"connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
|
||||
"https://api.2fa.directory; object-src 'self' blob:;";
|
||||
public string NginxHeaderContentSecurityPolicy { get; set; }
|
||||
|
||||
[Description("Communicate with the Bitwarden push relay service (push.bitwarden.com) for mobile\n" +
|
||||
"app live sync.")]
|
||||
|
@ -6,6 +6,14 @@ namespace Bit.Setup;
|
||||
public class Context
|
||||
{
|
||||
private const string ConfigPath = "/bitwarden/config.yml";
|
||||
// This keeps track of the value of the CSP that was defined as of Jan 2023.
|
||||
// Do not change this value.
|
||||
private const string Jan2023ContentSecurityPolicy = "default-src 'self'; style-src 'self' " +
|
||||
"'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com; " +
|
||||
"child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
|
||||
"frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
|
||||
"connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
|
||||
"https://api.2fa.directory; object-src 'self' blob:;";
|
||||
|
||||
public string[] Args { get; set; }
|
||||
public bool Quiet { get; set; }
|
||||
@ -117,6 +125,13 @@ public class Context
|
||||
.WithNamingConvention(UnderscoredNamingConvention.Instance)
|
||||
.Build();
|
||||
Config = deserializer.Deserialize<Configuration>(configText);
|
||||
|
||||
// Fix old explicit config assignments of CSP which should be treated as a default value
|
||||
if (Config.NginxHeaderContentSecurityPolicy == Jan2023ContentSecurityPolicy)
|
||||
{
|
||||
Config.NginxHeaderContentSecurityPolicy = null;
|
||||
SaveConfiguration();
|
||||
}
|
||||
}
|
||||
|
||||
public void SaveConfiguration()
|
||||
|
@ -4,6 +4,14 @@ public class NginxConfigBuilder
|
||||
{
|
||||
private const string ConfFile = "/bitwarden/nginx/default.conf";
|
||||
|
||||
private const string DefaultContentSecurityPolicy = "default-src 'self'; " +
|
||||
"script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; " +
|
||||
"img-src 'self' data: https://haveibeenpwned.com; " +
|
||||
"child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
|
||||
"frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
|
||||
"connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
|
||||
"https://api.2fa.directory; object-src 'self' blob:;";
|
||||
|
||||
private readonly Context _context;
|
||||
|
||||
public NginxConfigBuilder(Context context)
|
||||
@ -72,7 +80,12 @@ public class NginxConfigBuilder
|
||||
Domain = context.Config.Domain;
|
||||
Url = context.Config.Url;
|
||||
RealIps = context.Config.RealIps;
|
||||
ContentSecurityPolicy = string.Format(context.Config.NginxHeaderContentSecurityPolicy, Domain);
|
||||
var csp = DefaultContentSecurityPolicy;
|
||||
if (!string.IsNullOrWhiteSpace(context.Config.NginxHeaderContentSecurityPolicy))
|
||||
{
|
||||
csp = context.Config.NginxHeaderContentSecurityPolicy;
|
||||
}
|
||||
ContentSecurityPolicy = string.Format(csp, Domain);
|
||||
|
||||
if (Ssl)
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user