diff --git a/.env.template b/.env.template index 62ce52585d..fa2ccf116e 100644 --- a/.env.template +++ b/.env.template @@ -410,6 +410,14 @@ ## Multiple values must be separated with a whitespace. # ALLOWED_IFRAME_ANCESTORS= +## Allowed connect-src (Know the risks!) +## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src +## Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature +## This adds the configured value to the 'Content-Security-Policy' headers 'connect-src' value. +## Multiple values must be separated with a whitespace. And only HTTPS values are allowed. +## Example: "https://my-addy-io.domain.tld https://my-simplelogin.domain.tld" +ALLOWED_CONNECT_SRC="" + ## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in. # LOGIN_RATELIMIT_SECONDS=60 ## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`. diff --git a/src/config.rs b/src/config.rs index 1a56475f4a..60af832579 100644 --- a/src/config.rs +++ b/src/config.rs @@ -238,6 +238,7 @@ macro_rules! make_config { // Besides Pass, only String types will be masked via _privacy_mask. const PRIVACY_CONFIG: &[&str] = &[ "allowed_iframe_ancestors", + "allowed_connect_src", "database_url", "domain_origin", "domain_path", @@ -610,6 +611,9 @@ make_config! { /// Allowed iframe ancestors (Know the risks!) |> Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets allowed_iframe_ancestors: String, true, def, String::new(); + /// Allowed connect-src (Know the risks!) |> Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature + allowed_connect_src: String, true, def, String::new(); + /// Seconds between login requests |> Number of seconds, on average, between login and 2FA requests from the same IP address before rate limiting kicks in login_ratelimit_seconds: u64, false, def, 60; /// Max burst size for login requests |> Allow a burst of requests of up to this size, while maintaining the average indicated by `login_ratelimit_seconds`. Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2 @@ -761,6 +765,13 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> { ); } + let connect_src = cfg.allowed_connect_src.to_lowercase(); + for url in connect_src.split_whitespace() { + if !url.starts_with("https://") { + err!("ALLOWED_CONNECT_SRC variable only allows https endpoints"); + } + } + let whitelist = &cfg.signups_domains_whitelist; if !whitelist.is_empty() && whitelist.split(',').any(|d| d.trim().is_empty()) { err!("`SIGNUPS_DOMAINS_WHITELIST` contains empty tokens"); diff --git a/src/util.rs b/src/util.rs index 88f0b23d40..8c4efca807 100644 --- a/src/util.rs +++ b/src/util.rs @@ -98,10 +98,11 @@ impl Fairing for AppHeaders { https://app.addy.io/api/ \ https://api.fastmail.com/ \ https://api.forwardemail.net \ - ;\ + {allowed_connect_src};\ ", icon_service_csp = CONFIG._icon_service_csp(), - allowed_iframe_ancestors = CONFIG.allowed_iframe_ancestors() + allowed_iframe_ancestors = CONFIG.allowed_iframe_ancestors(), + allowed_connect_src = CONFIG.allowed_connect_src(), ); res.set_raw_header("Content-Security-Policy", csp); res.set_raw_header("X-Frame-Options", "SAMEORIGIN");