diff --git a/util/Setup/Configuration.cs b/util/Setup/Configuration.cs index d99bf2523..879a02609 100644 --- a/util/Setup/Configuration.cs +++ b/util/Setup/Configuration.cs @@ -72,6 +72,15 @@ namespace Bit.Setup "`/etc/ssl` within the container.")] public string SslDiffieHellmanPath { get; set; } + [Description("Nginx Header Content-Security-Policy parameter\n" + + "WARNING: Reconfiguring this parameter may break features. By changing this parameter\n" + + "you become responsible for maintaining this value.")] + public string NginxHeaderContentSecurityPolicy { get; set; } = "default-src 'self'; style-src 'self' " + + "'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " + + "child-src 'self' https://*.duosecurity.com; frame-src 'self' https://*.duosecurity.com; " + + "connect-src 'self' wss://{0} https://api.pwnedpasswords.com " + + "https://twofactorauth.org; object-src 'self' blob:;"; + [Description("Communicate with the Bitwarden push relay service (push.bitwarden.com) for mobile\n" + "app live sync.")] public bool PushNotifications { get; set; } = true; diff --git a/util/Setup/NginxConfigBuilder.cs b/util/Setup/NginxConfigBuilder.cs index cf602a6a1..4d7c57da7 100644 --- a/util/Setup/NginxConfigBuilder.cs +++ b/util/Setup/NginxConfigBuilder.cs @@ -6,13 +6,6 @@ namespace Bit.Setup public class NginxConfigBuilder { private const string ConfFile = "/bitwarden/nginx/default.conf"; - private const string ContentSecurityPolicy = - "default-src 'self'; style-src 'self' 'unsafe-inline'; " + - "img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " + - "child-src 'self' https://*.duosecurity.com; frame-src 'self' https://*.duosecurity.com; " + - "connect-src 'self' wss://{0} https://api.pwnedpasswords.com " + - "https://twofactorauth.org; " + - "object-src 'self' blob:;"; private readonly Context _context; @@ -79,6 +72,7 @@ namespace Bit.Setup Domain = context.Config.Domain; Url = context.Config.Url; RealIps = context.Config.RealIps; + ContentSecurityPolicy = string.Format(context.Config.NginxHeaderContentSecurityPolicy, Domain); if (Ssl) { @@ -129,7 +123,7 @@ namespace Bit.Setup public string DiffieHellmanPath { get; set; } public string SslCiphers { get; set; } public string SslProtocols { get; set; } - public string ContentSecurityPolicy => string.Format(NginxConfigBuilder.ContentSecurityPolicy, Domain); + public string ContentSecurityPolicy { get; set; } public List RealIps { get; set; } } }