From 037eb0b790b06ebeeead9f9ff9fe802dc05db1e0 Mon Sep 17 00:00:00 2001 From: dheimerl <34488243+dheimerl@users.noreply.github.com> Date: Sat, 15 Dec 2018 13:23:07 -0600 Subject: [PATCH 1/3] Update web.rs Add frame-ancestors to allow U2F to work in Chrome (and possibly Firefox) extension --- src/api/web.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/api/web.rs b/src/api/web.rs index 8db632a..e395504 100644 --- a/src/api/web.rs +++ b/src/api/web.rs @@ -56,6 +56,8 @@ impl<'r, R: Responder<'r>> Responder<'r> for WebHeaders { res.set_raw_header("X-Frame-Options", "SAMEORIGIN"); res.set_raw_header("X-Content-Type-Options", "nosniff"); res.set_raw_header("X-XSS-Protection", "1; mode=block"); + res.set_raw_header("Content-Security-Policy", "frame-ancestors chrome-extension://*"); + res.set_raw_header("Content-Security-Policy", "frame-ancestors moz-extension://*"); Ok(res) }, From 7f7c9360493c863f7297222b32f49c408ea558e2 Mon Sep 17 00:00:00 2001 From: dheimerl <34488243+dheimerl@users.noreply.github.com> Date: Mon, 17 Dec 2018 22:59:53 -0600 Subject: [PATCH 2/3] Fixed web.rs --- src/api/web.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/api/web.rs b/src/api/web.rs index e395504..31bfe3a 100644 --- a/src/api/web.rs +++ b/src/api/web.rs @@ -56,8 +56,8 @@ impl<'r, R: Responder<'r>> Responder<'r> for WebHeaders { res.set_raw_header("X-Frame-Options", "SAMEORIGIN"); res.set_raw_header("X-Content-Type-Options", "nosniff"); res.set_raw_header("X-XSS-Protection", "1; mode=block"); - res.set_raw_header("Content-Security-Policy", "frame-ancestors chrome-extension://*"); - res.set_raw_header("Content-Security-Policy", "frame-ancestors moz-extension://*"); + let csp = "frame-ancestors chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://* ".to_owned() + &CONFIG.domain + ";"; + res.set_raw_header("Content-Security-Policy", csp); Ok(res) }, From 9a7d3634d5efb5bddfc7065f971eae467370813f Mon Sep 17 00:00:00 2001 From: dheimerl <34488243+dheimerl@users.noreply.github.com> Date: Tue, 18 Dec 2018 10:19:35 -0600 Subject: [PATCH 3/3] Changed frame-ancestors to use 'self' --- src/api/web.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/api/web.rs b/src/api/web.rs index 31bfe3a..bcf41bd 100644 --- a/src/api/web.rs +++ b/src/api/web.rs @@ -56,7 +56,7 @@ impl<'r, R: Responder<'r>> Responder<'r> for WebHeaders { res.set_raw_header("X-Frame-Options", "SAMEORIGIN"); res.set_raw_header("X-Content-Type-Options", "nosniff"); res.set_raw_header("X-XSS-Protection", "1; mode=block"); - let csp = "frame-ancestors chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://* ".to_owned() + &CONFIG.domain + ";"; + let csp = "frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://*;"; res.set_raw_header("Content-Security-Policy", csp); Ok(res)