adjust cors origin checks (#800)

* allow cors from bitwarden.com on cloud * allow file:// cors for safari extension * fix missing paren
2025-07-02 00:22:50 -05:00 · 2020-06-27 15:08:50 -04:00
parent 448157b07c
commit 6bc7a3cdc0
6 changed files with 20 additions and 8 deletions
--- a/src/Core/IdentityServer/VaultCorsPolicyService.cs
+++ b/src/Core/IdentityServer/VaultCorsPolicyService.cs
@ -1,20 +1,21 @@
-using IdentityServer4.Services;
+using Bit.Core.Utilities;
+using IdentityServer4.Services;
 using System.Threading.Tasks;

 namespace Bit.Core.IdentityServer
 {
-    public class VaultCorsPolicyService : ICorsPolicyService
+    public class CustomCorsPolicyService : ICorsPolicyService
    {
        private readonly GlobalSettings _globalSettings;

-        public VaultCorsPolicyService(GlobalSettings globalSettings)
+        public CustomCorsPolicyService(GlobalSettings globalSettings)
        {
            _globalSettings = globalSettings;
        }

        public Task<bool> IsOriginAllowedAsync(string origin)
        {
-            return Task.FromResult(origin == _globalSettings.BaseServiceUri.Vault);
+            return Task.FromResult(CoreHelpers.IsCorsOriginAllowed(origin, _globalSettings));
        }
    }
 }
--- a/src/Core/Utilities/CoreHelpers.cs
+++ b/src/Core/Utilities/CoreHelpers.cs
@ -595,5 +595,16 @@ namespace Bit.Core.Utilities

            return httpContext.Connection?.RemoteIpAddress?.ToString();
        }
+
+        public static bool IsCorsOriginAllowed(string origin, GlobalSettings globalSettings)
+        {
+            return
+                // Web vault
+                origin == globalSettings.BaseServiceUri.Vault ||
+                // Safari extension origin
+                origin == "file://" ||
+                // Product website
+                (!globalSettings.SelfHosted && origin == "https://bitwarden.com");
+        }
    }
 }
--- a/src/Core/Utilities/ServiceCollectionExtensions.cs
+++ b/src/Core/Utilities/ServiceCollectionExtensions.cs
@ -382,7 +382,7 @@ namespace Bit.Core.Utilities
            }

            services.AddTransient<ClientStore>();
-            services.AddTransient<ICorsPolicyService, VaultCorsPolicyService>();
+            services.AddTransient<ICorsPolicyService, CustomCorsPolicyService>();
            services.AddScoped<IResourceOwnerPasswordValidator, ResourceOwnerPasswordValidator>();
            services.AddScoped<IProfileService, ProfileService>();
            services.AddSingleton<IPersistedGrantStore, PersistedGrantStore>();