Allow adding connect-src entries (#5293)

Bitwarden allows to use self-hosted forwarded email services. But for this to work you need to add custom URL's to the `connect-src` CSP entry. This commit allows setting this and checks if the URL starts with `https://` else it will abort loading. Fixes #5290 Signed-off-by: BlackDex <black.dex@gmail.com>
2025-09-11 11:15:58 +03:00 · 2024-12-15 00:27:20 +01:00
parent 9cd400db6c
commit 4d6d3443ae
3 changed files with 22 additions and 2 deletions
--- a/src/util.rs
+++ b/src/util.rs
@@ -98,10 +98,11 @@ impl Fairing for AppHeaders {
                  https://app.addy.io/api/ \
                  https://api.fastmail.com/ \
                  https://api.forwardemail.net \
-                  ;\
+                  {allowed_connect_src};\
                ",
                icon_service_csp = CONFIG._icon_service_csp(),
-                allowed_iframe_ancestors = CONFIG.allowed_iframe_ancestors()
+                allowed_iframe_ancestors = CONFIG.allowed_iframe_ancestors(),
+                allowed_connect_src = CONFIG.allowed_connect_src(),
            );
            res.set_raw_header("Content-Security-Policy", csp);
            res.set_raw_header("X-Frame-Options", "SAMEORIGIN");