Regex Blacklist Icon Cache Improvement #2117

New Issue

Closed

opened 2025-10-09 17:46:20 +03:00 by OVERLORD · 6 comments

OVERLORD commented 2025-10-09 17:46:20 +03:00

Owner

Copy Link

Originally created by @jonathanmmm on GitHub.

Hi,

I would suggest to improve the default icon blacklist regex (if there is a default).

Version 1:
Disable icons for all private IP addresses (either IPv4 and maybe IPv6?!) not just 192.168.1.x also 192.168.x.x, 10.x.x.x and 172.x.x.x (or what the third was for Ipv4) also 127.x.x.x

Version 2:
Try to fetch the icon as the server directly from the IPs, problem: the server maybe in a different Environment than the local IPs or if the client asks for them he would potentially ask private IP addresses for Icons in all networks he is connected to.

Originally created by @jonathanmmm on GitHub. Hi, I would suggest to improve the default icon blacklist regex (if there is a default). Version 1: Disable icons for all private IP addresses (either IPv4 and maybe IPv6?!) not just 192.168.1.x also 192.168.x.x, 10.x.x.x and 172.x.x.x (or what the third was for Ipv4) also 127.x.x.x Version 2: Try to fetch the icon as the server directly from the IPs, problem: the server maybe in a different Environment than the local IPs or if the client asks for them he would potentially ask private IP addresses for Icons in all networks he is connected to.

OVERLORD closed this issue 2025-10-09 17:46:21 +03:00

OVERLORD commented 2025-10-09 17:46:22 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

@jonathanmmm regarding the ip+port part. That doesn't seem to be possible as far as i know. Since only the host is given without any path or port. Not even if it is https or http.

@BlackDex commented on GitHub: @jonathanmmm regarding the ip+port part. That doesn't seem to be possible as far as i know. Since only the host is given without any path or port. Not even if it is https or http.

OVERLORD commented 2025-10-09 17:46:23 +03:00

Author

Owner

Copy Link

@jonathanmmm commented on GitHub:

@dani-garcia

Hi Dani-Garcia

I found out that I get icons from my router or my wd cloud storage.
Does the server gets these icons directly from within the network?
Because the bitwarden.com icon server can't know which icon is needed by http://192.168.2.4 for example.

I have seen in another issue that bitwarden_rs is trying to directly connect to the server and not through the bitwarden.com server? Is the address smth like http://192.168.2.4/icon.png or which path has an icon to be to be shown in bitwarden (or is it per href in html?)

@jonathanmmm commented on GitHub: @dani-garcia Hi Dani-Garcia I found out that I get icons from my router or my wd cloud storage. Does the server gets these icons directly from within the network? Because the bitwarden.com icon server can't know which icon is needed by http://192.168.2.4 for example. I have seen in another issue that bitwarden_rs is trying to directly connect to the server and not through the bitwarden.com server? Is the address smth like http://192.168.2.4/icon.png or which path has an icon to be to be shown in bitwarden (or is it per href in html?)

OVERLORD commented 2025-10-09 17:46:23 +03:00

Author

Owner

Copy Link

@dani-garcia commented on GitHub:

At the moment the blacklist is disabled by default, and I'm not sure providing a default is necessarily a good idea, we should probably have a Wiki entry with some examples and explanations though.

In any case, if someone is paranoid enough that revealing the pressence of a server in the internal network is a real issue, I would recommend them to isolate or firewall the bitwarden_rs server in the first place.

@dani-garcia commented on GitHub: At the moment the blacklist is disabled by default, and I'm not sure providing a default is necessarily a good idea, we should probably have a Wiki entry with some examples and explanations though. In any case, if someone is paranoid enough that revealing the pressence of a server in the internal network is a real issue, I would recommend them to isolate or firewall the bitwarden_rs server in the first place.

OVERLORD commented 2025-10-09 17:46:23 +03:00

Author

Owner

Copy Link

@jonathanmmm commented on GitHub:

@dani-garcia

Ok, I understanf
Would it be possible if the Ip address is private to use the Ip plus port so that the icons get cached by the server. E.g. a router has also a smybol or any other webservice.

Because right know they don't have one, e.g. my router because you can't reach this services from outside you can't fetch the icons as the "bitwarden.com icon server" and reply it back to the bitwarden_rs icon cache.

Or is it possible to custom the icons without switching the TTL of? Because not internal icons should still be updated.

@jonathanmmm commented on GitHub: @dani-garcia Ok, I understanf Would it be possible if the Ip address is private to use the Ip plus port so that the icons get cached by the server. E.g. a router has also a smybol or any other webservice. Because right know they don't have one, e.g. my router because you can't reach this services from outside you can't fetch the icons as the "bitwarden.com icon server" and reply it back to the bitwarden_rs icon cache. Or is it possible to custom the icons without switching the TTL of? Because not internal icons should still be updated.

OVERLORD commented 2025-10-09 17:46:25 +03:00

Author

Owner

Copy Link

@mprasil commented on GitHub:

@jonathanmmm currently the icons are fetched directly from the server. (client sends request to server to get the icon, server will fetch it and cache it server-side) It will try to parse html to gather some possible sources of icons and then goes with the most optimal size. So yeah, if you host your server locally (or if it has route to your network) it should be able to load the favicon.

@mprasil commented on GitHub: @jonathanmmm currently the icons are fetched directly from the server. (client sends request to server to get the icon, server will fetch it and cache it server-side) It will try to parse html to gather some possible sources of icons and then goes with the most optimal size. So yeah, if you host your server locally (or if it has route to your network) it should be able to load the favicon.

OVERLORD commented 2025-10-09 17:46:26 +03:00

Author

Owner

Copy Link

@mprasil commented on GitHub:

I believe this was implemented and by default bitwarden_rs does not fetch icons from IPs in the private IP range.

@mprasil commented on GitHub: I believe this was implemented and by default `bitwarden_rs` does not fetch icons from IPs in the private IP range.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#2117