From 97ba47260629fcf3bd41f02e3620481794f100fa Mon Sep 17 00:00:00 2001
From: Joseph Flinn <58369717+joseph-flinn@users.noreply.github.com>
Date: Fri, 18 Dec 2020 07:58:35 -0800
Subject: [PATCH] Make nginx Content-Security-Policy configurable (#1048)

* Adding the nginx head Content-Security-Policy to the Configuration file

* fixing whitespace formatting

* adding a '+' that got removed
---
 util/Setup/Configuration.cs      |  9 +++++++++
 util/Setup/NginxConfigBuilder.cs | 10 ++--------
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/util/Setup/Configuration.cs b/util/Setup/Configuration.cs
index d99bf25231..879a026099 100644
--- a/util/Setup/Configuration.cs
+++ b/util/Setup/Configuration.cs
@@ -72,6 +72,15 @@ namespace Bit.Setup
             "`/etc/ssl` within the container.")]
         public string SslDiffieHellmanPath { get; set; }
 
+        [Description("Nginx Header Content-Security-Policy parameter\n" +
+            "WARNING: Reconfiguring this parameter may break features. By changing this parameter\n" +
+            "you become responsible for maintaining this value.")]
+        public string NginxHeaderContentSecurityPolicy { get; set; } = "default-src 'self'; style-src 'self' " +
+            "'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " + 
+            "child-src 'self' https://*.duosecurity.com; frame-src 'self' https://*.duosecurity.com; " +
+            "connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
+            "https://twofactorauth.org; object-src 'self' blob:;";
+
         [Description("Communicate with the Bitwarden push relay service (push.bitwarden.com) for mobile\n" +
             "app live sync.")]
         public bool PushNotifications { get; set; } = true;
diff --git a/util/Setup/NginxConfigBuilder.cs b/util/Setup/NginxConfigBuilder.cs
index cf602a6a1a..4d7c57da73 100644
--- a/util/Setup/NginxConfigBuilder.cs
+++ b/util/Setup/NginxConfigBuilder.cs
@@ -6,13 +6,6 @@ namespace Bit.Setup
     public class NginxConfigBuilder
     {
         private const string ConfFile = "/bitwarden/nginx/default.conf";
-        private const string ContentSecurityPolicy =
-            "default-src 'self'; style-src 'self' 'unsafe-inline'; " +
-            "img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
-            "child-src 'self' https://*.duosecurity.com; frame-src 'self' https://*.duosecurity.com; " +
-            "connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
-            "https://twofactorauth.org; " +
-            "object-src 'self' blob:;";
 
         private readonly Context _context;
 
@@ -79,6 +72,7 @@ namespace Bit.Setup
                 Domain = context.Config.Domain;
                 Url = context.Config.Url;
                 RealIps = context.Config.RealIps;
+                ContentSecurityPolicy = string.Format(context.Config.NginxHeaderContentSecurityPolicy, Domain);
 
                 if (Ssl)
                 {
@@ -129,7 +123,7 @@ namespace Bit.Setup
             public string DiffieHellmanPath { get; set; }
             public string SslCiphers { get; set; }
             public string SslProtocols { get; set; }
-            public string ContentSecurityPolicy => string.Format(NginxConfigBuilder.ContentSecurityPolicy, Domain);
+            public string ContentSecurityPolicy { get; set; }
             public List<string> RealIps { get; set; }
         }
     }