CSP frame-ancestors doesn't include official desktop app #1310

New Issue

OVERLORD · 2026-02-05T00:35:39+03:00

OVERLORD commented

2026-02-05 00:35:39 +03:00

Originally created by @LunNova on GitHub (Jun 30, 2022).

The bitwarden desktop app is at a file:// URL, so the frame-ancestors list prevents it from being framed.

This prevents the 2FA webauthn frame from working.

Refused to frame 'https://bitwarden.***/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://*".

window.location
Location {ancestorOrigins: DOMStringList, href: 'file:///%LOCALAPPDATA%/Programs/Bitwarden/resources/app.asar/index.html#/login', origin: 'file://', protocol: 'file:', host: '', …}

Is it safe to add file://* to the frame-ancestors list in util.rs?

The current content-security-policy used by the official web vault at https://vault.bitwarden.com doesn't set frame-ancestors.

Repro steps

Set up 2FA with a yubikey on the web vault
Install the official bitwarden desktop app
Try to sign in with yubikey, sit at loading spinner forever and get Refused to frame ... error in developer tools

Originally created by @LunNova on GitHub (Jun 30, 2022). The bitwarden desktop app is at a file:// URL, so the frame-ancestors list prevents it from being framed. This prevents the 2FA webauthn frame from working. ``` Refused to frame 'https://bitwarden.***/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://*". ``` ``` window.location Location {ancestorOrigins: DOMStringList, href: 'file:///%LOCALAPPDATA%/Programs/Bitwarden/resources/app.asar/index.html#/login', origin: 'file://', protocol: 'file:', host: '', …} ``` Is it safe to add `file://*` to the [frame-ancestors list in util.rs](https://github.com/dani-garcia/vaultwarden/blob/main/src/util.rs#L73)? The current content-security-policy used by the official web vault at https://vault.bitwarden.com doesn't set frame-ancestors. Repro steps 1. Set up 2FA with a yubikey on the web vault 2. Install the official bitwarden desktop app 3. Try to sign in with yubikey, sit at loading spinner forever and get `Refused to frame ...` error in developer tools

OVERLORD closed this issue

2026-02-05 00:35:44 +03:00

OVERLORD commented

2026-02-05 00:35:46 +03:00

@BlackDex commented on GitHub (Jun 30, 2022):

Vaultwarden also isn't sending the CSP headers for the connectors/mfa/2fa files served in some of the latter commits

Which version are you using of Vaultwarden? And did you tried the testing tagged image and see if that solved it?

@BlackDex commented on GitHub (Jun 30, 2022): Vaultwarden also isn't sending the CSP headers for the connectors/mfa/2fa files served in some of the latter commits Which version are you using of Vaultwarden? And did you tried the `testing` tagged image and see if that solved it?

OVERLORD commented

2026-02-05 00:35:50 +03:00

@LunNova commented on GitHub (Jun 30, 2022):

It's working on testing, wasn't on 1.25.0, looks like 5d05ec58be was the fix.

Sorry for the duplicate issue!

@LunNova commented on GitHub (Jun 30, 2022): It's working on `testing`, wasn't on `1.25.0`, looks like 5d05ec58be9e6dcb028d69a428 was the fix. Sorry for the duplicate issue!

OVERLORD commented

2026-02-05 00:35:53 +03:00

@BlackDex commented on GitHub (Jun 30, 2022):

No prob. Glad it works with that fix 🙂

@BlackDex commented on GitHub (Jun 30, 2022): No prob. Glad it works with that fix 🙂

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#1310