nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-06-30 15:42:48 -05:00
Code Activity

[PS-2416 and PS-2417] dont set CSP config value by default (#2667)

Browse Source 
* dont set CSP config value by default

* space
This commit is contained in:
Kyle Spearrin
2023-02-03 14:50:33 -05:00
committed by GitHub
parent 7e74695afc
commit 0e84678150
3 changed files with 30 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
util/Setup/NginxConfigBuilder.cs
View File

@ -4,6 +4,14 @@ public class NginxConfigBuilder
{
private const string ConfFile = "/bitwarden/nginx/default.conf";
private const string DefaultContentSecurityPolicy = "default-src 'self'; " +
"script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; " +
"img-src 'self' data: https://haveibeenpwned.com; " +
"child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
"frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
"connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
"https://api.2fa.directory; object-src 'self' blob:;";
private readonly Context _context;
public NginxConfigBuilder(Context context)
@ -72,7 +80,12 @@ public class NginxConfigBuilder
Domain = context.Config.Domain;
Url = context.Config.Url;
RealIps = context.Config.RealIps;
ContentSecurityPolicy = string.Format(context.Config.NginxHeaderContentSecurityPolicy, Domain);
var csp = DefaultContentSecurityPolicy;
if (!string.IsNullOrWhiteSpace(context.Config.NginxHeaderContentSecurityPolicy))
{
csp = context.Config.NginxHeaderContentSecurityPolicy;
}
ContentSecurityPolicy = string.Format(csp, Domain);
if (Ssl)
{