diff --git a/src/Api/Startup.cs b/src/Api/Startup.cs index 1c6aef12f..e682759c3 100644 --- a/src/Api/Startup.cs +++ b/src/Api/Startup.cs @@ -169,7 +169,7 @@ namespace Bit.Api app.UseRouting(); // Add Cors - app.UseCors(policy => policy.SetIsOriginAllowed(o => o == globalSettings.BaseServiceUri.Vault) + app.UseCors(policy => policy.SetIsOriginAllowed(o => CoreHelpers.IsCorsOriginAllowed(o, globalSettings)) .AllowAnyMethod().AllowAnyHeader().AllowCredentials()); // Add authentication and authorization to the request pipeline. diff --git a/src/Core/IdentityServer/VaultCorsPolicyService.cs b/src/Core/IdentityServer/VaultCorsPolicyService.cs index 51476a962..eaa19474a 100644 --- a/src/Core/IdentityServer/VaultCorsPolicyService.cs +++ b/src/Core/IdentityServer/VaultCorsPolicyService.cs @@ -1,20 +1,21 @@ -using IdentityServer4.Services; +using Bit.Core.Utilities; +using IdentityServer4.Services; using System.Threading.Tasks; namespace Bit.Core.IdentityServer { - public class VaultCorsPolicyService : ICorsPolicyService + public class CustomCorsPolicyService : ICorsPolicyService { private readonly GlobalSettings _globalSettings; - public VaultCorsPolicyService(GlobalSettings globalSettings) + public CustomCorsPolicyService(GlobalSettings globalSettings) { _globalSettings = globalSettings; } public Task IsOriginAllowedAsync(string origin) { - return Task.FromResult(origin == _globalSettings.BaseServiceUri.Vault); + return Task.FromResult(CoreHelpers.IsCorsOriginAllowed(origin, _globalSettings)); } } } diff --git a/src/Core/Utilities/CoreHelpers.cs b/src/Core/Utilities/CoreHelpers.cs index bf71f7c56..594d8d0ae 100644 --- a/src/Core/Utilities/CoreHelpers.cs +++ b/src/Core/Utilities/CoreHelpers.cs @@ -595,5 +595,16 @@ namespace Bit.Core.Utilities return httpContext.Connection?.RemoteIpAddress?.ToString(); } + + public static bool IsCorsOriginAllowed(string origin, GlobalSettings globalSettings) + { + return + // Web vault + origin == globalSettings.BaseServiceUri.Vault || + // Safari extension origin + origin == "file://" || + // Product website + (!globalSettings.SelfHosted && origin == "https://bitwarden.com"); + } } } diff --git a/src/Core/Utilities/ServiceCollectionExtensions.cs b/src/Core/Utilities/ServiceCollectionExtensions.cs index 89bd9a96c..ac49a7718 100644 --- a/src/Core/Utilities/ServiceCollectionExtensions.cs +++ b/src/Core/Utilities/ServiceCollectionExtensions.cs @@ -382,7 +382,7 @@ namespace Bit.Core.Utilities } services.AddTransient(); - services.AddTransient(); + services.AddTransient(); services.AddScoped(); services.AddScoped(); services.AddSingleton(); diff --git a/src/Events/Startup.cs b/src/Events/Startup.cs index 4149dffb7..8f877fa05 100644 --- a/src/Events/Startup.cs +++ b/src/Events/Startup.cs @@ -101,7 +101,7 @@ namespace Bit.Events app.UseRouting(); // Add Cors - app.UseCors(policy => policy.SetIsOriginAllowed(o => o == globalSettings.BaseServiceUri.Vault) + app.UseCors(policy => policy.SetIsOriginAllowed(o => CoreHelpers.IsCorsOriginAllowed(o, globalSettings)) .AllowAnyMethod().AllowAnyHeader().AllowCredentials()); // Add authentication and authorization to the request pipeline. diff --git a/src/Notifications/Startup.cs b/src/Notifications/Startup.cs index 564db90e2..aafc8f82c 100644 --- a/src/Notifications/Startup.cs +++ b/src/Notifications/Startup.cs @@ -102,7 +102,7 @@ namespace Bit.Notifications app.UseRouting(); // Add Cors - app.UseCors(policy => policy.SetIsOriginAllowed(o => o == globalSettings.BaseServiceUri.Vault) + app.UseCors(policy => policy.SetIsOriginAllowed(o => CoreHelpers.IsCorsOriginAllowed(o, globalSettings)) .AllowAnyMethod().AllowAnyHeader().AllowCredentials()); // Add authentication to the request pipeline.