adjust cors origin checks (#800)

* allow cors from bitwarden.com on cloud

* allow file:// cors for safari extension

* fix missing paren

src/Api/Startup.cs

@@ -169,7 +169,7 @@ namespace Bit.Api
             app.UseRouting();
 
             // Add Cors
-            app.UseCors(policy => policy.SetIsOriginAllowed(o => o == globalSettings.BaseServiceUri.Vault)
+            app.UseCors(policy => policy.SetIsOriginAllowed(o => CoreHelpers.IsCorsOriginAllowed(o, globalSettings))
                 .AllowAnyMethod().AllowAnyHeader().AllowCredentials());
 
             // Add authentication and authorization to the request pipeline.

src/Core/IdentityServer/VaultCorsPolicyService.cs

@@ -1,20 +1,21 @@
-using IdentityServer4.Services;
+using Bit.Core.Utilities;
+using IdentityServer4.Services;
 using System.Threading.Tasks;
 
 namespace Bit.Core.IdentityServer
 {
-    public class VaultCorsPolicyService : ICorsPolicyService
+    public class CustomCorsPolicyService : ICorsPolicyService
     {
         private readonly GlobalSettings _globalSettings;
 
-        public VaultCorsPolicyService(GlobalSettings globalSettings)
+        public CustomCorsPolicyService(GlobalSettings globalSettings)
         {
             _globalSettings = globalSettings;
         }
 
         public Task<bool> IsOriginAllowedAsync(string origin)
         {
-            return Task.FromResult(origin == _globalSettings.BaseServiceUri.Vault);
+            return Task.FromResult(CoreHelpers.IsCorsOriginAllowed(origin, _globalSettings));
         }
     }
 }

src/Core/Utilities/CoreHelpers.cs

@@ -595,5 +595,16 @@ namespace Bit.Core.Utilities
 
             return httpContext.Connection?.RemoteIpAddress?.ToString();
         }
+
+        public static bool IsCorsOriginAllowed(string origin, GlobalSettings globalSettings)
+        {
+            return
+                // Web vault
+                origin == globalSettings.BaseServiceUri.Vault ||
+                // Safari extension origin
+                origin == "file://" ||
+                // Product website
+                (!globalSettings.SelfHosted && origin == "https://bitwarden.com");
+        }
     }
 }

src/Core/Utilities/ServiceCollectionExtensions.cs

@@ -382,7 +382,7 @@ namespace Bit.Core.Utilities
             }
 
             services.AddTransient<ClientStore>();
-            services.AddTransient<ICorsPolicyService, VaultCorsPolicyService>();
+            services.AddTransient<ICorsPolicyService, CustomCorsPolicyService>();
             services.AddScoped<IResourceOwnerPasswordValidator, ResourceOwnerPasswordValidator>();
             services.AddScoped<IProfileService, ProfileService>();
             services.AddSingleton<IPersistedGrantStore, PersistedGrantStore>();

src/Events/Startup.cs

@@ -101,7 +101,7 @@ namespace Bit.Events
             app.UseRouting();
 
             // Add Cors
-            app.UseCors(policy => policy.SetIsOriginAllowed(o => o == globalSettings.BaseServiceUri.Vault)
+            app.UseCors(policy => policy.SetIsOriginAllowed(o => CoreHelpers.IsCorsOriginAllowed(o, globalSettings))
                 .AllowAnyMethod().AllowAnyHeader().AllowCredentials());
 
             // Add authentication and authorization to the request pipeline.

src/Notifications/Startup.cs

@@ -102,7 +102,7 @@ namespace Bit.Notifications
             app.UseRouting();
 
             // Add Cors
-            app.UseCors(policy => policy.SetIsOriginAllowed(o => o == globalSettings.BaseServiceUri.Vault)
+            app.UseCors(policy => policy.SetIsOriginAllowed(o => CoreHelpers.IsCorsOriginAllowed(o, globalSettings))
                 .AllowAnyMethod().AllowAnyHeader().AllowCredentials());
 
             // Add authentication to the request pipeline.