vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README

commit 736dbc9553ed5caa928631f032344d2004800240
parent c2725916f45220a81ae32ba6d18d138a3d04ffbb
Author: Daniel GarcĂ­a <dani-garcia@users.noreply.github.com>
Date:   Fri, 14 Oct 2022 17:56:03 +0200

Merge branch 'jjlin-csp'

Diffstat:
Msrc/util.rs | 29++++++++++++++++++++++-------
1 file changed, 22 insertions(+), 7 deletions(-)

diff --git a/src/util.rs b/src/util.rs @@ -60,19 +60,34 @@ impl Fairing for AppHeaders { // Leaked Passwords check: api.pwnedpasswords.com // 2FA/MFA Site check: 2fa.directory // # Mail Relay: https://bitwarden.com/blog/add-privacy-and-security-using-email-aliases-with-bitwarden/ - // app.simplelogin.io, app.anonaddy.com, api.fastmail.com + // app.simplelogin.io, app.anonaddy.com, api.fastmail.com, quack.duckduckgo.com let csp = format!( "default-src 'self'; \ + object-src 'self' blob:; \ script-src 'self'{script_src}; \ style-src 'self' 'unsafe-inline'; \ - img-src 'self' data: https://haveibeenpwned.com/ https://www.gravatar.com {icon_service_csp}; \ child-src 'self' https://*.duosecurity.com https://*.duofederal.com; \ frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; \ - connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/ https://app.anonaddy.com/api/ https://api.fastmail.com/; \ - object-src 'self' blob:; \ - frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* {allowed_iframe_ancestors};", - icon_service_csp=CONFIG._icon_service_csp(), - allowed_iframe_ancestors=CONFIG.allowed_iframe_ancestors() + frame-ancestors 'self' \ + chrome-extension://nngceckbapebfimnlniiiahkandclblb \ + chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh \ + moz-extension://* \ + {allowed_iframe_ancestors}; \ + img-src 'self' data: \ + https://haveibeenpwned.com/ \ + https://www.gravatar.com \ + {icon_service_csp}; \ + connect-src 'self' \ + https://api.pwnedpasswords.com/range/ \ + https://2fa.directory/api/ \ + https://app.simplelogin.io/api/ \ + https://app.anonaddy.com/api/ \ + https://api.fastmail.com/ \ + https://quack.duckduckgo.com/api/email/ \ + ;\ + ", + icon_service_csp = CONFIG._icon_service_csp(), + allowed_iframe_ancestors = CONFIG.allowed_iframe_ancestors() ); res.set_raw_header("Content-Security-Policy", csp); res.set_raw_header("X-Frame-Options", "SAMEORIGIN");