starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-02-05 00:29:40 +03:00
Code Issues 32 Packages Projects Releases 10 Wiki Activity

No Icons in Desktop Clients with Vaultwarden 1.33.0 #2150

New Issue
Closed
opened 2026-02-05 03:26:33 +03:00 by OVERLORD · 23 comments
OVERLORD commented 2026-02-05 03:26:33 +03:00
Owner
Copy Link

Originally created by @miljw002 on GitHub (Jan 26, 2025).

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.33.0
  • Web-vault version: v2025.1.1
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: MySQL
  • Database version: 8.0.41
  • Environment settings overridden!: false
  • Uses a reverse proxy: true
  • IP Header check: true (x-forwarded-for)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "*****://*******************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://******************",
  "domain_origin": "*****://******************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": "api-bc8d4d38.duosecurity.com",
  "duo_ikey": "DICFPHD0UJEWUVKIKAVM",
  "duo_skey": "***",
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Miller Family Password Vault",
  "invitations_allowed": true,
  "ip_header": "x-forwarded-for",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/vaultwarden.log",
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 1000000,
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "off",
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "******************",
  "smtp_from_name": "MillerNet Password Vault",
  "smtp_host": "*****************",
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_security": "off",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": "102714",
  "yubico_secret_key": "***",
  "yubico_server": null
}

Vaultwarden Build Version

1.33.0

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

Caddy v2.9.1

Host/Server Operating System

NAS/SAN

Operating System Version

macOS 12.7.6

Clients

Desktop

Client Version

2025.1.3

Steps To Reproduce

  1. Open Bitwarden client
  2. View any or all entries in the vault
  3. File -> Sync
  4. Still no icons

Expected Result

Icons for websites.

Actual Result

a mixture of the default no icon and a broken image.

Logs

Screenshots or Videos

Image

Reverting to 1.32.7 restores the icons.

Additional Context

No response

Originally created by @miljw002 on GitHub (Jan 26, 2025). ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.33.0 * Web-vault version: v2025.1.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: MySQL * Database version: 8.0.41 * Environment settings overridden!: false * Uses a reverse proxy: true * IP Header check: true (x-forwarded-for) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "*****://*******************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://******************", "domain_origin": "*****://******************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": "api-bc8d4d38.duosecurity.com", "duo_ikey": "DICFPHD0UJEWUVKIKAVM", "duo_skey": "***", "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Miller Family Password Vault", "invitations_allowed": true, "ip_header": "x-forwarded-for", "job_poll_interval_ms": 30000, "log_file": "/data/vaultwarden.log", "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 1000000, "push_enabled": true, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": "off", "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "******************", "smtp_from_name": "MillerNet Password Vault", "smtp_host": "*****************", "smtp_password": null, "smtp_port": 587, "smtp_security": "off", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": "102714", "yubico_secret_key": "***", "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.33.0 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy Caddy v2.9.1 ### Host/Server Operating System NAS/SAN ### Operating System Version macOS 12.7.6 ### Clients Desktop ### Client Version 2025.1.3 ### Steps To Reproduce 1. Open Bitwarden client 2. View any or all entries in the vault 3. File -> Sync 4. Still no icons ### Expected Result Icons for websites. ### Actual Result a mixture of the default no icon and a broken image. ### Logs ```text ``` ### Screenshots or Videos ![Image](https://github.com/user-attachments/assets/1bd3e89d-dcd9-461a-9511-6c53774a58ae) Reverting to 1.32.7 restores the icons. ### Additional Context _No response_
OVERLORD added the bug label 2026-02-05 03:26:33 +03:00
OVERLORD commented 2026-02-05 03:26:39 +03:00
Author
Owner
Copy Link

@miljw002 commented on GitHub (Jan 26, 2025):

Sorry, I forgot to include the icons do work in the Web Vault and with the iOS app.

I don't know why, but so far it's on the Bitwarden clients on Mac OS impacted. I've tried rolling back to previous versions of the Bitwarden client (thinking it was a client issue), and the older clients have the same problem (no icons).

@miljw002 commented on GitHub (Jan 26, 2025): Sorry, I forgot to include the icons do work in the Web Vault and with the iOS app. I don't know why, but so far it's on the Bitwarden clients on Mac OS impacted. I've tried rolling back to previous versions of the Bitwarden client (thinking it was a client issue), and the older clients have the same problem (no icons).
OVERLORD commented 2026-02-05 03:26:44 +03:00
Author
Owner
Copy Link

@frankilla-m commented on GitHub (Jan 26, 2025):

The same goes for browser extensions. But iOS is OK.

@frankilla-m commented on GitHub (Jan 26, 2025): The same goes for browser extensions. But iOS is OK.
OVERLORD commented 2026-02-05 03:26:49 +03:00
Author
Owner
Copy Link

@astounds commented on GitHub (Jan 26, 2025):

Same bug to browser extensions. But iOS and Android is ok

@astounds commented on GitHub (Jan 26, 2025): Same bug to browser extensions. But iOS and Android is ok
OVERLORD commented 2026-02-05 03:26:52 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Jan 26, 2025):

I suspect it's the new security header I added to try to increase security. We might need to remove that, or maybe at least one for the icons. That's something i have to check.

@BlackDex commented on GitHub (Jan 26, 2025): I suspect it's the new security header I added to try to increase security. We might need to remove that, or maybe at least one for the icons. That's something i have to check.
OVERLORD commented 2026-02-05 03:26:57 +03:00
Author
Owner
Copy Link

@miljw002 commented on GitHub (Jan 26, 2025):

Thanks for the quick responses and it’s a relief it’s not just me.

What’s the security header change (without me trying to reverse engineer it)? I publish via Caddy, so may be able to adjust the headers there to test the theory.

@miljw002 commented on GitHub (Jan 26, 2025): Thanks for the quick responses and it’s a relief it’s not just me. What’s the security header change (without me trying to reverse engineer it)? I publish via Caddy, so may be able to adjust the headers there to test the theory.
OVERLORD commented 2026-02-05 03:27:01 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Jan 26, 2025):

If you are able to prevent passing on this header Cross-Origin-Resource-Policy, and best would be only if an url ends with /icon.png, that should do the job i think.

In nginx it looks like this.

location ~ /icon.png$ {
  proxy_hide_header Cross-Origin-Resource-Policy;              
  proxy_pass http://vaultwarden-default;
}
@BlackDex commented on GitHub (Jan 26, 2025): If you are able to prevent passing on this header `Cross-Origin-Resource-Policy`, and best would be only if an url ends with `/icon.png`, that should do the job i think. In nginx it looks like this. ```nginx location ~ /icon.png$ { proxy_hide_header Cross-Origin-Resource-Policy; proxy_pass http://vaultwarden-default; } ```
OVERLORD commented 2026-02-05 03:27:06 +03:00
Author
Owner
Copy Link

@Codelica commented on GitHub (Jan 26, 2025):

Thanks, that works for me.

@Codelica commented on GitHub (Jan 26, 2025): Thanks, that works for me.
OVERLORD commented 2026-02-05 03:27:08 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Jan 26, 2025):

Thanks for confirming. Ill do some testing a bit further my self later today, and then probably make an exclusion for the icon endpoint to not return that header.

@BlackDex commented on GitHub (Jan 26, 2025): Thanks for confirming. Ill do some testing a bit further my self later today, and then probably make an exclusion for the icon endpoint to not return that header.
OVERLORD commented 2026-02-05 03:27:12 +03:00
Author
Owner
Copy Link

@Crash1602 commented on GitHub (Jan 26, 2025):

Thank you for the quick workaround. I have a question related to this topic, but I'm not sure if it would be a new issue. Therefore, I will briefly ask the question here first. If it's out of place, please just delete my post.

Using https://headerscan.com/ I scanned my Vaultwarden page and always receive the message that the Strict-Transport-Security header is not set, only for Vaultwarden, other Sites are fine. However, the following is configured on SWAG (Nginx):

add_header Strict-Transport-Security "max-age=63072000" always;

A friend who uses the same system has the same problem. Therefore, the question is, what could be the reason for this?

Thank you very much!

Image

@Crash1602 commented on GitHub (Jan 26, 2025): Thank you for the quick workaround. I have a question related to this topic, but I'm not sure if it would be a new issue. Therefore, I will briefly ask the question here first. If it's out of place, please just delete my post. Using https://headerscan.com/ I scanned my Vaultwarden page and always receive the message that the Strict-Transport-Security header is not set, only for Vaultwarden, other Sites are fine. However, the following is configured on SWAG (Nginx): ``` add_header Strict-Transport-Security "max-age=63072000" always; ``` A friend who uses the same system has the same problem. Therefore, the question is, what could be the reason for this? Thank you very much! ![Image](https://github.com/user-attachments/assets/ed17ae35-a9d9-4cc6-b38d-705f508e0319)
OVERLORD commented 2026-02-05 03:27:15 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Jan 26, 2025):

That is something you probably want to set your self to what ever is sane for you if your server/domain serves everything in https or not.

Vaultwarden does return such a header only if it does https it self, but then still you might not want subdomains or other duration.

I have that configured in my nginx for example.

@BlackDex commented on GitHub (Jan 26, 2025): That is something you probably want to set your self to what ever is sane for you if your server/domain serves everything in https or not. Vaultwarden does return such a header only if it does https it self, but then still you might not want subdomains or other duration. I have that configured in my nginx for example.
OVERLORD commented 2026-02-05 03:27:18 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Jan 26, 2025):

You can also use https://developer.mozilla.org/en-US/observatory which is nice.

@BlackDex commented on GitHub (Jan 26, 2025): You can also use https://developer.mozilla.org/en-US/observatory which is nice.
OVERLORD commented 2026-02-05 03:27:23 +03:00
Author
Owner
Copy Link

@Brawl345 commented on GitHub (Jan 26, 2025):

Confirming that removing these lines works:

2903a3a13a/src/util.rs (L58)

2903a3a13a/src/static/scripts/admin_diagnostics.js (L239)

Removing the Cross-Origin-Resource-Policy header via Caddy did somehow not work (the icons throw a 404 in the Firefox add-on, the "Accept" header seems to be the problem but setting it via Caddy does nothing and I don't want to waste time debugging this and not sure whether it's my configuration or a bug).

@Brawl345 commented on GitHub (Jan 26, 2025): Confirming that removing these lines works: https://github.com/dani-garcia/vaultwarden/blob/2903a3a13ad06a09805e8842511b4b715a686d8e/src/util.rs#L58 https://github.com/dani-garcia/vaultwarden/blob/2903a3a13ad06a09805e8842511b4b715a686d8e/src/static/scripts/admin_diagnostics.js#L239 Removing the Cross-Origin-Resource-Policy header via Caddy did somehow not work (the icons throw a 404 in the Firefox add-on, the "Accept" header seems to be the problem but setting it via Caddy does nothing and I don't want to waste time debugging this and not sure whether it's my configuration or a bug).
OVERLORD commented 2026-02-05 03:27:31 +03:00
Author
Owner
Copy Link

@Crash1602 commented on GitHub (Jan 26, 2025):

That is something you probably want to set your self to what ever is sane for you if your server/domain serves everything in https or not.

Vaultwarden does return such a header only if it does https it self, but then still you might not want subdomains or other duration.

I have that configured in my nginx for example.

Thank you very much for your response. I found my mistake. I had included the protocol (ex. https://) on the headerscan.com site, which probably led to the analysis not being carried out properly.

Image

@Crash1602 commented on GitHub (Jan 26, 2025): > That is something you probably want to set your self to what ever is sane for you if your server/domain serves everything in https or not. > > Vaultwarden does return such a header only if it does https it self, but then still you might not want subdomains or other duration. > > I have that configured in my nginx for example. Thank you very much for your response. I found my mistake. I had included the protocol (ex. https://) on the headerscan.com site, which probably led to the analysis not being carried out properly. ![Image](https://github.com/user-attachments/assets/e562294f-f70d-4044-930a-e426087b2d13)
OVERLORD commented 2026-02-05 03:27:39 +03:00
Author
Owner
Copy Link

@Crash1602 commented on GitHub (Jan 26, 2025):

You can also use https://developer.mozilla.org/en-US/observatory which is nice.

Thanks for the tip. Unfortunately, the site doesn't seem to handle it well if you deviate from the default 443 port. I use a different port than 443 for HTTPS, and as a result, the Mozilla site always recognizes my service as down - unfortunately :)

@Crash1602 commented on GitHub (Jan 26, 2025): > You can also use https://developer.mozilla.org/en-US/observatory which is nice. Thanks for the tip. Unfortunately, the site doesn't seem to handle it well if you deviate from the default 443 port. I use a different port than 443 for HTTPS, and as a result, the Mozilla site always recognizes my service as down - unfortunately :)
OVERLORD commented 2026-02-05 03:27:42 +03:00
Author
Owner
Copy Link

@tessus commented on GitHub (Jan 26, 2025):

For Apache reverse proxy setups, the following has to be put in the VirtualHost section:

    <LocationMatch icon\.png$>
        Header unset Cross-Origin-Resource-Policy
    </LocationMatch>
@tessus commented on GitHub (Jan 26, 2025): For Apache reverse proxy setups, the following has to be put in the `VirtualHost` section: ```apache <LocationMatch icon\.png$> Header unset Cross-Origin-Resource-Policy </LocationMatch> ```
OVERLORD commented 2026-02-05 03:27:47 +03:00
Author
Owner
Copy Link

@walterzilla commented on GitHub (Jan 27, 2025):

that should do the job i think (...)

Tried in Nginx Proxy Manager with no luck, icons still broken/not loading

Image

Hints?
Thanks

@walterzilla commented on GitHub (Jan 27, 2025): > that should do the job i think (...) Tried in Nginx Proxy Manager with no luck, icons still broken/not loading ![Image](https://github.com/user-attachments/assets/ba22c6b0-2906-407d-8844-7b8c94315a55) Hints? Thanks
OVERLORD commented 2026-02-05 03:27:49 +03:00
Author
Owner
Copy Link

@Eldaroth commented on GitHub (Jan 30, 2025):

If you are able to prevent passing on this header Cross-Origin-Resource-Policy, and best would be only if an url ends with /icon.png, that should do the job i think.

In nginx it looks like this.

location ~ /icon.png$ {
proxy_hide_header Cross-Origin-Resource-Policy;
proxy_pass http://vaultwarden-default;
}

Works for Traefik Reverse Proxy as well by adding a middleware to remove the header, for example via labels

- "traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.${DOMAIN}`) || Path(`/icon.png`)"
- "traefik.http.routers.vaultwarden.middlewares=remove-header"
- "traefik.http.middlewares.remove-header.headers.customResponseHeaders.Cross-Origin-Resource-Policy="
@Eldaroth commented on GitHub (Jan 30, 2025): > If you are able to prevent passing on this header `Cross-Origin-Resource-Policy`, and best would be only if an url ends with `/icon.png`, that should do the job i think. > > In nginx it looks like this. > > location ~ /icon.png$ { > proxy_hide_header Cross-Origin-Resource-Policy; > proxy_pass http://vaultwarden-default; > } Works for Traefik Reverse Proxy as well by adding a middleware to remove the header, for example via labels ``` - "traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.${DOMAIN}`) || Path(`/icon.png`)" - "traefik.http.routers.vaultwarden.middlewares=remove-header" - "traefik.http.middlewares.remove-header.headers.customResponseHeaders.Cross-Origin-Resource-Policy=" ```
OVERLORD commented 2026-02-05 03:27:52 +03:00
Author
Owner
Copy Link

@msebald commented on GitHub (Jan 31, 2025):

In HAProxy (through OPNsense) I put

http-response del-header Cross-Origin-Resource-Policy

into "Option pass-through" (enable advanced mode to see " Option pass-through").

Now I see icons again on my Windows Bitwarden client.

Will this be fixed? The issue is closed and Docker was updated recently and my container seems to be up-to-date. But I still did not see any icons until this addition to HAProxy today.

@msebald commented on GitHub (Jan 31, 2025): In HAProxy (through OPNsense) I put `http-response del-header Cross-Origin-Resource-Policy` into "Option pass-through" (enable advanced mode to see " Option pass-through"). Now I see icons again on my Windows Bitwarden client. Will this be fixed? The issue is closed and Docker was updated recently and my container seems to be up-to-date. But I still did not see any icons until this addition to HAProxy today.
OVERLORD commented 2026-02-05 03:27:54 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Jan 31, 2025):

Either use testing or wait for a new stable release.

@BlackDex commented on GitHub (Jan 31, 2025): Either use testing or wait for a new stable release.
OVERLORD commented 2026-02-05 03:27:57 +03:00
Author
Owner
Copy Link

@MrDoZo commented on GitHub (Jan 31, 2025):

So solved it via dynamic.yml in traefik:

I set priority for main router to 10.

Extra router only for icons:

bw-icon-http:
  rule: "Host(`bw.url`) && PathRegexp(`/icons/[^/]+/icon\\.png`)"
  entryPoints:
    - web
  middlewares:
    - redirect-to-https
    - remove-header
  service: bw-service
  priority: 20

bw-icon-https:
  rule: "Host(`bw.url`) && PathRegexp(`/icons/[^/]+/icon\\.png`)"
  entryPoints:
    - websecure
  tls:
    certResolver: inwxcert
  middlewares:
    - remove-header
  service: bw-service
  priority: 20

middleware:

remove-header:
  headers:
    customResponseHeaders:
      Cross-Origin-Resource-Policy: ""
@MrDoZo commented on GitHub (Jan 31, 2025): So solved it via dynamic.yml in traefik: I set priority for main router to 10. Extra router only for icons: bw-icon-http: rule: "Host(`bw.url`) && PathRegexp(`/icons/[^/]+/icon\\.png`)" entryPoints: - web middlewares: - redirect-to-https - remove-header service: bw-service priority: 20 bw-icon-https: rule: "Host(`bw.url`) && PathRegexp(`/icons/[^/]+/icon\\.png`)" entryPoints: - websecure tls: certResolver: inwxcert middlewares: - remove-header service: bw-service priority: 20 middleware: remove-header: headers: customResponseHeaders: Cross-Origin-Resource-Policy: ""
OVERLORD commented 2026-02-05 03:28:01 +03:00
Author
Owner
Copy Link

@flowoy96 commented on GitHub (Feb 2, 2025):

that should do the job i think (...)

Tried in Nginx Proxy Manager with no luck, icons still broken/not loading

Image

Hints? Thanks

Have you been able to fix this? Also not working for me on NPM

@flowoy96 commented on GitHub (Feb 2, 2025): > > that should do the job i think (...) > > Tried in Nginx Proxy Manager with no luck, icons still broken/not loading > > ![Image](https://github.com/user-attachments/assets/ba22c6b0-2906-407d-8844-7b8c94315a55) > > Hints? Thanks Have you been able to fix this? Also not working for me on NPM
OVERLORD commented 2026-02-05 03:28:05 +03:00
Author
Owner
Copy Link

@tessus commented on GitHub (Feb 2, 2025):

Did you see this?

Image

This means the fix is in testing or github master.

@tessus commented on GitHub (Feb 2, 2025): Did you see this? <img width="558" alt="Image" src="https://github.com/user-attachments/assets/d05bacd0-3084-45ad-89ca-9d410c9bee8d" /> This means the fix is in testing or github master.
OVERLORD commented 2026-02-05 03:28:09 +03:00
Author
Owner
Copy Link

@NeurekaSoftware commented on GitHub (Feb 3, 2025):

For those that want a fix now for Caddy, you can add the following to your Caddyfile:

@iconPath {
    path_regexp iconPath ^.*\/icon\.png$
}
header @iconPath {
    -Cross-Origin-Resource-Policy
}

Full Example:

vault.example.com {
	@iconPath {
		path_regexp iconPath ^.*\/icon\.png$
	}
	header @iconPath {
		-Cross-Origin-Resource-Policy
	}
	reverse_proxy 127.0.0.1:11001 {
		header_up X-Real-IP {remote_host}
	}
}
@NeurekaSoftware commented on GitHub (Feb 3, 2025): For those that want a fix now for Caddy, you can add the following to your Caddyfile: ```caddyfile @iconPath { path_regexp iconPath ^.*\/icon\.png$ } header @iconPath { -Cross-Origin-Resource-Policy } ``` Full Example: ```caddyfile vault.example.com { @iconPath { path_regexp iconPath ^.*\/icon\.png$ } header @iconPath { -Cross-Origin-Resource-Policy } reverse_proxy 127.0.0.1:11001 { header_up X-Real-IP {remote_host} } } ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
troubleshooting
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#2150
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?