Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow adding connect-src entries #5293

Merged
merged 1 commit into from
Dec 14, 2024
Merged

Allow adding connect-src entries #5293

merged 1 commit into from
Dec 14, 2024
+22 −2

Conversation

BlackDex
Copy link
Collaborator

Bitwarden allows to use self-hosted forwarded email services. But for this to work you need to add custom URL's to the connect-src CSP entry.

This commit allows setting this and checks if the URL starts with https:// else it will abort loading.

Fixes #5290

@BlackDex BlackDex requested a review from dani-garcia December 14, 2024 15:25
@BlackDex BlackDex force-pushed the allow-custom-forward-api branch from 574dee9 to 3e582b3 Compare December 14, 2024 15:31
@BlackDex
Allow adding connect-src entries
e59472b 
Bitwarden allows to use self-hosted forwarded email services.
But for this to work you need to add custom URL's to the `connect-src` CSP entry.

This commit allows setting this and checks if the URL starts with `https://` else it will abort loading.

Fixes dani-garcia#5290

Signed-off-by: BlackDex <black.dex@gmail.com>
@BlackDex BlackDex force-pushed the allow-custom-forward-api branch from 3e582b3 to e59472b Compare December 14, 2024 15:32
@dani-garcia
Copy link
Owner

I wonder how Bitwarden handles this, do we have a more strict CSP than they do?

A bit annoying that this is an admin config while the option to configure email forward generator is user level. Would it make sense to allow * as a special case to let any domains through (I'm assuming Bitwarden is doing that)?

@larena1
Copy link

larena1 commented Dec 14, 2024

https://domsignal.com/test/lxyiipdn09ju7rzi5vh8oq2pw885ym5i

Bitwarden included addy in their CSP

@BlackDex
Copy link
Collaborator Author

We also have addy in our CSP.
But if people are allowed to use custom endpoints, then I'm not sure how they will do this.

I have not checked this my self btw.
Will do that later.

@larena1
Copy link

larena1 commented Dec 14, 2024

But if people are allowed to use custom endpoints, then I'm not sure how they will do this.

Judging by their CSP it might not be possible then

@BlackDex
Copy link
Collaborator Author

Looking at the cloud version, that does not support self-hosted forwarded instances.
The self-hosted Bitwarden does, but it also is blocked by default via the CSP.

There is no easy way to fix this in Self-Hosted Bitwarden besides overwriting the nginx config, which is possible, but not easy.

I would not allow * as that could cause possible security issues. Since people self-host, i would suggest they know which items are allowed. And we already add the hosted endpoints of those services by default.

dani-garcia
dani-garcia approved these changes Dec 14, 2024
View reviewed changes
Copy link
Owner

@dani-garcia dani-garcia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice thanks for the info, LGTM

@dani-garcia dani-garcia merged commit 4d6d344 into dani-garcia:main Dec 14, 2024
5 checks passed
@BlackDex BlackDex deleted the allow-custom-forward-api branch December 14, 2024 23:46
@ligix
Copy link

ligix commented Dec 15, 2024

Since people self-host, i would suggest they know which items are allowed

While this isn't an issue for people who host a small private instance (ex: for their family only) it unnecessarily worsens the CSP for all users.
A better fix would be scoping the CSP changes to only those users who require it but it'd have marginal benefits and would be annoying to implement.

@BlackDex
Copy link
Collaborator Author

Since people self-host, i would suggest they know which items are allowed

While this isn't an issue for people who host a small private instance (ex: for their family only) it unnecessarily worsens the CSP for all users. A better fix would be scoping the CSP changes to only those users who require it but it'd have marginal benefits and would be annoying to implement.

And even impossible since we do not know the user when loading the index page, and thus can not filter on that too change headers per user.

@BJReplay
Copy link

Nice. I hadn't noticed that you couldn't use this from the web vault, because the browser extension just works, but it is nice to be able to use it from the web vault, so that you can use the generator while updating logins in bulk from a regular email address to a self-hosted simple login generated email address.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dani-garcia dani-garcia dani-garcia approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CSP breaking selfhosted addy integration
5 participants
@BlackDex @dani-garcia @larena1 @ligix @BJReplay