Misc Updates and favicon fixes (#5993)

- Updated crates - Switched to rustls instead of native-tls Some dependency were already using rustls by default or without option. By removing native-tls we also have just one way of working here. Updated favicon fetching which now is able to fetch more icons. - Use rustls instead of native-tls This seems to work better, probably because of tls sniffing - Use different user-agent and added several other headers - Added SVG support. SVG Images will be sanitized first before stored or presented. Also, a special CSP for images will be sent to prevent scripts etc.. from SVG images. Signed-off-by: BlackDex <black.dex@gmail.com>
2025-09-13 12:05:58 +03:00 · 2025-06-27 21:20:36 +02:00
parent ad75ce281e
commit f125d5f1a1
9 changed files with 260 additions and 196 deletions
--- a/src/util.rs
+++ b/src/util.rs
@@ -61,9 +61,11 @@ impl Fairing for AppHeaders {

        // The `Cross-Origin-Resource-Policy` header should not be set on images or on the `icon_external` route.
        // Otherwise some clients, like the Bitwarden Desktop, will fail to download the icons
+        let mut is_image = true;
        if !(res.headers().get_one("Content-Type").is_some_and(|v| v.starts_with("image/"))
            || req.route().is_some_and(|v| v.name.as_deref() == Some("icon_external")))
        {
+            is_image = false;
            res.set_raw_header("Cross-Origin-Resource-Policy", "same-origin");
        }

@@ -71,49 +73,56 @@ impl Fairing for AppHeaders {
        // This can cause issues when some MFA requests needs to open a popup or page within the clients like WebAuthn, or Duo.
        // This is the same behavior as upstream Bitwarden.
        if !req_uri_path.ends_with("connector.html") {
-            // # Frame Ancestors:
-            // Chrome Web Store: https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb
-            // Edge Add-ons: https://microsoftedge.microsoft.com/addons/detail/bitwarden-free-password/jbkfoedolllekgbhcbcoahefnbanhhlh?hl=en-US
-            // Firefox Browser Add-ons: https://addons.mozilla.org/en-US/firefox/addon/bitwarden-password-manager/
-            // # img/child/frame src:
-            // Have I Been Pwned to allow those calls to work.
-            // # Connect src:
-            // Leaked Passwords check: api.pwnedpasswords.com
-            // 2FA/MFA Site check: api.2fa.directory
-            // # Mail Relay: https://bitwarden.com/blog/add-privacy-and-security-using-email-aliases-with-bitwarden/
-            // app.simplelogin.io, app.addy.io, api.fastmail.com, quack.duckduckgo.com
-            let csp = format!(
-                "default-src 'none'; \
-                font-src 'self'; \
-                manifest-src 'self'; \
-                base-uri 'self'; \
-                form-action 'self'; \
-                object-src 'self' blob:; \
-                script-src 'self' 'wasm-unsafe-eval'; \
-                style-src 'self' 'unsafe-inline'; \
-                child-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
-                frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
-                frame-ancestors 'self' \
-                  chrome-extension://nngceckbapebfimnlniiiahkandclblb \
-                  chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh \
-                  moz-extension://* \
-                  {allowed_iframe_ancestors}; \
-                img-src 'self' data: \
-                  https://haveibeenpwned.com \
-                  {icon_service_csp}; \
-                connect-src 'self' \
-                  https://api.pwnedpasswords.com \
-                  https://api.2fa.directory \
-                  https://app.simplelogin.io/api/ \
-                  https://app.addy.io/api/ \
-                  https://api.fastmail.com/ \
-                  https://api.forwardemail.net \
-                  {allowed_connect_src};\
-                ",
-                icon_service_csp = CONFIG._icon_service_csp(),
-                allowed_iframe_ancestors = CONFIG.allowed_iframe_ancestors(),
-                allowed_connect_src = CONFIG.allowed_connect_src(),
-            );
+            let csp = if is_image {
+                // Prevent scripts, frames, objects, etc., from loading with images, mainly for SVG images, since these could contain JavaScript and other unsafe items.
+                // Even though we sanitize SVG images before storing and viewing them, it's better to prevent allowing these elements.
+                String::from("default-src 'none'; img-src 'self' data:; style-src 'unsafe-inline'; script-src 'none'; frame-src 'none'; object-src 'none")
+            } else {
+                // # Frame Ancestors:
+                // Chrome Web Store: https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb
+                // Edge Add-ons: https://microsoftedge.microsoft.com/addons/detail/bitwarden-free-password/jbkfoedolllekgbhcbcoahefnbanhhlh?hl=en-US
+                // Firefox Browser Add-ons: https://addons.mozilla.org/en-US/firefox/addon/bitwarden-password-manager/
+                // # img/child/frame src:
+                // Have I Been Pwned to allow those calls to work.
+                // # Connect src:
+                // Leaked Passwords check: api.pwnedpasswords.com
+                // 2FA/MFA Site check: api.2fa.directory
+                // # Mail Relay: https://bitwarden.com/blog/add-privacy-and-security-using-email-aliases-with-bitwarden/
+                // app.simplelogin.io, app.addy.io, api.fastmail.com, api.forwardemail.net
+                format!(
+                    "default-src 'none'; \
+                    font-src 'self'; \
+                    manifest-src 'self'; \
+                    base-uri 'self'; \
+                    form-action 'self'; \
+                    object-src 'self' blob:; \
+                    script-src 'self' 'wasm-unsafe-eval'; \
+                    style-src 'self' 'unsafe-inline'; \
+                    child-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
+                    frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
+                    frame-ancestors 'self' \
+                    chrome-extension://nngceckbapebfimnlniiiahkandclblb \
+                    chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh \
+                    moz-extension://* \
+                    {allowed_iframe_ancestors}; \
+                    img-src 'self' data: \
+                    https://haveibeenpwned.com \
+                    {icon_service_csp}; \
+                    connect-src 'self' \
+                    https://api.pwnedpasswords.com \
+                    https://api.2fa.directory \
+                    https://app.simplelogin.io/api/ \
+                    https://app.addy.io/api/ \
+                    https://api.fastmail.com/ \
+                    https://api.forwardemail.net \
+                    {allowed_connect_src};\
+                    ",
+                    icon_service_csp = CONFIG._icon_service_csp(),
+                    allowed_iframe_ancestors = CONFIG.allowed_iframe_ancestors(),
+                    allowed_connect_src = CONFIG.allowed_connect_src(),
+                )
+            };
+
            res.set_raw_header("Content-Security-Policy", csp);
            res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
        } else {