CSP frame-ancestors doesn't include official desktop app #2075

New Issue

MrUnknownDE · 2026-04-06T02:56:16+02:00

MrUnknownDE commented

2026-04-06 02:56:16 +02:00

Originally created by @LunNova on 6/29/2022

The bitwarden desktop app is at a file:// URL, so the frame-ancestors list prevents it from being framed.

This prevents the 2FA webauthn frame from working.

Refused to frame 'https://bitwarden.***/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://*".

window.location
Location {ancestorOrigins: DOMStringList, href: 'file:///%LOCALAPPDATA%/Programs/Bitwarden/resources/app.asar/index.html#/login', origin: 'file://', protocol: 'file:', host: '', …}

Is it safe to add file://* to the frame-ancestors list in util.rs?

The current content-security-policy used by the official web vault at https://vault.bitwarden.com doesn't set frame-ancestors.

Repro steps

Set up 2FA with a yubikey on the web vault
Install the official bitwarden desktop app
Try to sign in with yubikey, sit at loading spinner forever and get Refused to frame ... error in developer tools

*Originally created by @LunNova on 6/29/2022* The bitwarden desktop app is at a file:// URL, so the frame-ancestors list prevents it from being framed. This prevents the 2FA webauthn frame from working. ``` Refused to frame 'https://bitwarden.***/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://*". ``` ``` window.location Location {ancestorOrigins: DOMStringList, href: 'file:///%LOCALAPPDATA%/Programs/Bitwarden/resources/app.asar/index.html#/login', origin: 'file://', protocol: 'file:', host: '', …} ``` Is it safe to add `file://*` to the [frame-ancestors list in util.rs](https://github.com/dani-garcia/vaultwarden/blob/main/src/util.rs#L73)? The current content-security-policy used by the official web vault at https://vault.bitwarden.com doesn't set frame-ancestors. Repro steps 1. Set up 2FA with a yubikey on the web vault 2. Install the official bitwarden desktop app 3. Try to sign in with yubikey, sit at loading spinner forever and get `Refused to frame ...` error in developer tools

MrUnknownDE closed this issue

2026-04-06 02:56:16 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#2075