Make nginx Content-Security-Policy configurable (#1048)

* Adding the nginx head Content-Security-Policy to the Configuration file * fixing whitespace formatting * adding a '+' that got removed
2025-06-30 15:42:48 -05:00 · 2020-12-18 07:58:35 -08:00
parent 037757a740
commit 97ba472606
2 changed files with 11 additions and 8 deletions
--- a/util/Setup/NginxConfigBuilder.cs
+++ b/util/Setup/NginxConfigBuilder.cs
@ -6,13 +6,6 @@ namespace Bit.Setup
    public class NginxConfigBuilder
    {
        private const string ConfFile = "/bitwarden/nginx/default.conf";
-        private const string ContentSecurityPolicy =
-            "default-src 'self'; style-src 'self' 'unsafe-inline'; " +
-            "img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
-            "child-src 'self' https://*.duosecurity.com; frame-src 'self' https://*.duosecurity.com; " +
-            "connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
-            "https://twofactorauth.org; " +
-            "object-src 'self' blob:;";

        private readonly Context _context;

@ -79,6 +72,7 @@ namespace Bit.Setup
                Domain = context.Config.Domain;
                Url = context.Config.Url;
                RealIps = context.Config.RealIps;
+                ContentSecurityPolicy = string.Format(context.Config.NginxHeaderContentSecurityPolicy, Domain);

                if (Ssl)
                {
@ -129,7 +123,7 @@ namespace Bit.Setup
            public string DiffieHellmanPath { get; set; }
            public string SslCiphers { get; set; }
            public string SslProtocols { get; set; }
-            public string ContentSecurityPolicy => string.Format(NginxConfigBuilder.ContentSecurityPolicy, Domain);
+            public string ContentSecurityPolicy { get; set; }
            public List<string> RealIps { get; set; }
        }
    }