Allow FireFox relay in CSP.

This PR is needed for https://github.com/dani-garcia/bw_web_builds/pull/71 Without this the web-vault will refuse to make calls to the FireFox Relay API. Also fixed a small issue with the pre-commit config.
author: BlackDex <[email protected]> 2022-06-20 16:26:41 +0200
committer: BlackDex <[email protected]> 2022-06-22 16:30:31 +0200
commit: 006a2aacbbb31736edb67b5887842813728daf38 (patch)
tree: 20f67d882d7ddd6f5691537950941b8a697e3da8 /src
parent: 887e320e7f8dfc62d9b3ed08aca216cd7ad229f1 (diff)
download: vaultwarden-006a2aacbbb31736edb67b5887842813728daf38.tar.gz
vaultwarden-006a2aacbbb31736edb67b5887842813728daf38.zip
1 files changed, 12 insertions, 4 deletions
diff --git a/src/util.rs b/src/util.rs
index 55208aeb..82cb328e 100644
--- a/src/util.rs
+++ b/src/util.rs
@@ -50,17 +50,25 @@ impl Fairing for AppHeaders {
         // This can cause issues when some MFA requests needs to open a popup or page within the clients like WebAuthn, or Duo.
         // This is the same behaviour as upstream Bitwarden.
         if !req_uri_path.ends_with("connector.html") {
+            // # Frame Ancestors:
+            // Chrome Web Store: https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb
+            // Edge Add-ons: https://microsoftedge.microsoft.com/addons/detail/bitwarden-free-password/jbkfoedolllekgbhcbcoahefnbanhhlh?hl=en-US
+            // Firefox Browser Add-ons: https://addons.mozilla.org/en-US/firefox/addon/bitwarden-password-manager/
+            // # img/child/frame src:
+            // Have I Been Pwned and Gravator to allow those calls to work.
+            // # Connect src:
+            // Leaked Passwords check: api.pwnedpasswords.com
+            // 2FA/MFA Site check: 2fa.directory
+            // # Mail Relay: https://bitwarden.com/blog/add-privacy-and-security-using-email-aliases-with-bitwarden/
+            // app.simplelogin.io, app.anonaddy.com, relay.firefox.com
             let csp = format!(
-                // Chrome Web Store: https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb
-                // Edge Add-ons: https://microsoftedge.microsoft.com/addons/detail/bitwarden-free-password/jbkfoedolllekgbhcbcoahefnbanhhlh?hl=en-US
-                // Firefox Browser Add-ons: https://addons.mozilla.org/en-US/firefox/addon/bitwarden-password-manager/
                 "default-src 'self'; \
                 script-src 'self'{script_src}; \
                 style-src 'self' 'unsafe-inline'; \
                 img-src 'self' data: https://haveibeenpwned.com/ https://www.gravatar.com; \
                 child-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
                 frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
-                connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/ https://app.anonaddy.com/api/; \
+                connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/ https://app.anonaddy.com/api/ https://relay.firefox.com/api/; \
                 object-src 'self' blob:; \
                 frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* {};",
                 CONFIG.allowed_iframe_ancestors()
author	BlackDex <[email protected]>	2022-06-20 16:26:41 +0200
committer	BlackDex <[email protected]>	2022-06-22 16:30:31 +0200
commit	006a2aacbbb31736edb67b5887842813728daf38 (patch)
tree	20f67d882d7ddd6f5691537950941b8a697e3da8 /src
parent	887e320e7f8dfc62d9b3ed08aca216cd7ad229f1 (diff)
download	vaultwarden-006a2aacbbb31736edb67b5887842813728daf38.tar.gz vaultwarden-006a2aacbbb31736edb67b5887842813728daf38.zip