starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-12-09 09:13:02 +03:00
Code Issues 429 Packages Projects Releases 10 Wiki Activity

FIDO2 WebAuthn frame no longer loads in Web Vault #1026

New Issue
Closed
opened 2025-10-09 17:01:18 +03:00 by OVERLORD · 3 comments
OVERLORD commented 2025-10-09 17:01:18 +03:00
Owner
Copy Link

Originally created by @ducmthai on GitHub.

FIDO2 WebAuthn prompt frame does not load

The iframe is saying my-selfhost-vault.com refused to connect. my-selfhost-vault.com is served through Cloudflare

Deployment environment

  • vaultwarden version: 1.26-alpine

  • Install method: docker

  • Clients used: web vault

  • Reverse proxy and version: nginx 1.18

  • MySQL/MariaDB or PostgreSQL version: N/A

  • Other relevant details: Cloudflare -> nginx -> vaultwarden docker

Steps to reproduce

Setup a Yubikey as FIDO2 WebAuthn 2fa, then login via webvault

Expected behaviour

The FIDO2 WebAuthn page should prompt for a toutch/tap the security key.

Actual behaviour

The iframe where /images/u2fkey.webp is usually showed just says my-selfhost-vault.com refused to connect.

Troubleshooting data

1.25.0-alpine works with /webauthn-connector.html?data=<token> has x-frame-options: SAMEORIGIN in its response header. 1.26.0-alpine does not have this header.

1.26.0

1 26 0

1.25.0

1 25 0

Originally created by @ducmthai on GitHub. <!-- # ### NOTE: Please update to the latest version of vaultwarden before reporting an issue! This saves you and us a lot of time and troubleshooting. See: * https://github.com/dani-garcia/vaultwarden/issues/1180 * https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image # ### --> <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/redact personal or confidential information, such as passwords, IP addresses, and DNS names as appropriate. --> ### FIDO2 WebAuthn prompt frame does not load The iframe is saying `my-selfhost-vault.com` refused to connect. `my-selfhost-vault.com` is served through Cloudflare ### Deployment environment <!-- ========================================================================================= Preferably, use the `Generate Support String` button on the admin page's Diagnostics tab. That will auto-generate most of the info requested in this section. ========================================================================================= --> <!-- The version number, obtained from the logs (at startup) or the admin diagnostics page --> <!-- This is NOT the version number shown on the web vault, which is versioned separately from vaultwarden --> <!-- Remember to check if your issue exists on the latest version first! --> * vaultwarden version: 1.26-alpine <!-- How the server was installed: Docker image, OS package, built from source, etc. --> * Install method: docker * Clients used: web vault * Reverse proxy and version: nginx 1.18 * MySQL/MariaDB or PostgreSQL version: N/A * Other relevant details: Cloudflare -> nginx -> vaultwarden docker ### Steps to reproduce Setup a Yubikey as FIDO2 WebAuthn 2fa, then login via webvault ### Expected behaviour The FIDO2 WebAuthn page should prompt for a toutch/tap the security key. ### Actual behaviour The iframe where `/images/u2fkey.webp` is usually showed just says `my-selfhost-vault.com` refused to connect. ### Troubleshooting data `1.25.0-alpine` works with `/webauthn-connector.html?data=<token>` has `x-frame-options: SAMEORIGIN` in its response header. `1.26.0-alpine` does not have this header. ### 1.26.0 ![1 26 0](https://user-images.githubusercontent.com/13193688/196568071-399adf9e-cbf9-4415-96e5-c5636432c573.png) ### 1.25.0 ![1 25 0](https://user-images.githubusercontent.com/13193688/196568077-817da357-a88e-46f2-9022-18cdc64efb53.png)
OVERLORD commented 2025-10-09 17:01:21 +03:00
Author
Owner
Copy Link

@ducmthai commented on GitHub:

Adding add_header X-Frame-Options "SAMEORIGIN"; to nginx.conf fixed the issue.

@ducmthai commented on GitHub: Adding `add_header X-Frame-Options "SAMEORIGIN";` to nginx.conf fixed the issue.
OVERLORD commented 2025-10-09 17:01:22 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub:

Just as a follow-up.
All the correct headers are already sent by Vaultwarden, including that one. There are probably other headers which you may overrides out not. I suggest to not override any header and keep most of these as is.

Also, using this setting will probably break the desktop client.

@BlackDex commented on GitHub: Just as a follow-up. All the correct headers are already sent by Vaultwarden, including that one. There are probably other headers which you may overrides out not. I suggest to not override any header and keep most of these as is. Also, using this setting will probably break the desktop client.
OVERLORD commented 2025-10-09 17:01:22 +03:00
Author
Owner
Copy Link

@ducmthai commented on GitHub:

Just as a follow-up. All the correct headers are already sent by Vaultwarden, including that one. There are probably other headers which you may overrides out not. I suggest to not override any header and keep most of these as is.

Also, using this setting will probably break the desktop client.

Hmm, if so, I wonder why 1.25 works and 1.26 doesn't.

Update: I just tried 1.25/1.26 without the header override and Desktop client still does not load the frame. This time I also skipped Cloudflare through DNS rewrite.

Additional errors in DevTools of the Desktop Client:

For 1.25:

Refused to frame 'https://my-selfhosted-vault.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'

For 1.26 (Same error with webvault)

Refused to display 'https://my-selfhosted-vault.com/' in a frame because it set 'X-Frame-Options' to 'deny'.

Update 2: I do have this in my nginx.conf.

# Disallow the site to be rendered
add_header X-Frame-Options "DENY";

I gave this header value "ALLOW" for vaultwarden so that the client would ignore it and it works.

@ducmthai commented on GitHub: > Just as a follow-up. All the correct headers are already sent by Vaultwarden, including that one. There are probably other headers which you may overrides out not. I suggest to not override any header and keep most of these as is. > > Also, using this setting will probably break the desktop client. Hmm, if so, I wonder why 1.25 works and 1.26 doesn't. **Update**: I just tried 1.25/1.26 without the header override and Desktop client still does not load the frame. This time I also skipped Cloudflare through DNS rewrite. Additional errors in DevTools of the Desktop Client: ### For 1.25: `Refused to frame 'https://my-selfhosted-vault.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'` ### For 1.26 (Same error with webvault) `Refused to display 'https://my-selfhosted-vault.com/' in a frame because it set 'X-Frame-Options' to 'deny'.` **Update 2**: I do have this in my nginx.conf. ``` # Disallow the site to be rendered add_header X-Frame-Options "DENY"; ``` I gave this header value "ALLOW" for vaultwarden so that the client would ignore it and it works.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
bug
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#1026
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?