adjust cors origin checks (#800)

* allow cors from bitwarden.com on cloud * allow file:// cors for safari extension * fix missing paren
2025-07-04 01:22:50 -05:00 · 2020-06-27 15:08:50 -04:00
parent 448157b07c
commit 6bc7a3cdc0
6 changed files with 20 additions and 8 deletions
--- a/src/Core/Utilities/CoreHelpers.cs
+++ b/src/Core/Utilities/CoreHelpers.cs
@ -595,5 +595,16 @@ namespace Bit.Core.Utilities

            return httpContext.Connection?.RemoteIpAddress?.ToString();
        }
+
+        public static bool IsCorsOriginAllowed(string origin, GlobalSettings globalSettings)
+        {
+            return
+                // Web vault
+                origin == globalSettings.BaseServiceUri.Vault ||
+                // Safari extension origin
+                origin == "file://" ||
+                // Product website
+                (!globalSettings.SelfHosted && origin == "https://bitwarden.com");
+        }
    }
 }
--- a/src/Core/Utilities/ServiceCollectionExtensions.cs
+++ b/src/Core/Utilities/ServiceCollectionExtensions.cs
@ -382,7 +382,7 @@ namespace Bit.Core.Utilities
            }

            services.AddTransient<ClientStore>();
-            services.AddTransient<ICorsPolicyService, VaultCorsPolicyService>();
+            services.AddTransient<ICorsPolicyService, CustomCorsPolicyService>();
            services.AddScoped<IResourceOwnerPasswordValidator, ResourceOwnerPasswordValidator>();
            services.AddScoped<IProfileService, ProfileService>();
            services.AddSingleton<IPersistedGrantStore, PersistedGrantStore>();