aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/config.rs11
-rw-r--r--src/util.rs5
2 files changed, 14 insertions, 2 deletions
diff --git a/src/config.rs b/src/config.rs
index 1a56475f..8daf35f4 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -238,6 +238,7 @@ macro_rules! make_config {
// Besides Pass, only String types will be masked via _privacy_mask.
const PRIVACY_CONFIG: &[&str] = &[
"allowed_iframe_ancestors",
+ "allowed_connect_src",
"database_url",
"domain_origin",
"domain_path",
@@ -610,6 +611,9 @@ make_config! {
/// Allowed iframe ancestors (Know the risks!) |> Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets
allowed_iframe_ancestors: String, true, def, String::new();
+ /// Allowed connect-src (Know the risks!) |> Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature
+ allowed_connect_src: String, true, def, String::new();
+
/// Seconds between login requests |> Number of seconds, on average, between login and 2FA requests from the same IP address before rate limiting kicks in
login_ratelimit_seconds: u64, false, def, 60;
/// Max burst size for login requests |> Allow a burst of requests of up to this size, while maintaining the average indicated by `login_ratelimit_seconds`. Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2
@@ -761,6 +765,13 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
);
}
+ let connect_src = cfg.allowed_connect_src.to_lowercase();
+ for url in connect_src.split_whitespace() {
+ if !url.starts_with("https://") || Url::parse(url).is_err() {
+ err!("ALLOWED_CONNECT_SRC variable contains one or more invalid URLs. Only FQDN's starting with https are allowed");
+ }
+ }
+
let whitelist = &cfg.signups_domains_whitelist;
if !whitelist.is_empty() && whitelist.split(',').any(|d| d.trim().is_empty()) {
err!("`SIGNUPS_DOMAINS_WHITELIST` contains empty tokens");
diff --git a/src/util.rs b/src/util.rs
index 88f0b23d..8c4efca8 100644
--- a/src/util.rs
+++ b/src/util.rs
@@ -98,10 +98,11 @@ impl Fairing for AppHeaders {
https://app.addy.io/api/ \
https://api.fastmail.com/ \
https://api.forwardemail.net \
- ;\
+ {allowed_connect_src};\
",
icon_service_csp = CONFIG._icon_service_csp(),
- allowed_iframe_ancestors = CONFIG.allowed_iframe_ancestors()
+ allowed_iframe_ancestors = CONFIG.allowed_iframe_ancestors(),
+ allowed_connect_src = CONFIG.allowed_connect_src(),
);
res.set_raw_header("Content-Security-Policy", csp);
res.set_raw_header("X-Frame-Options", "SAMEORIGIN");