[PM-25250] Prevent configuration and access of self hosted urls over http (#17095)

* feat: ban urls not using https * feat: add exception for dev env * feat: block fetching of insecure URLs * feat: add exception for dev env * feat: block notifications from using insecure URL * fix: bug where submission was possible regardless of error * feat: add exception for dev env * fix: missing constructor param
2025-12-11 13:53:34 +00:00 · 2025-10-31 08:12:44 +01:00
parent 2dd314e992
commit 48fb8b2bfe
11 changed files with 106 additions and 11 deletions
--- a/libs/common/src/services/api.service.ts
+++ b/libs/common/src/services/api.service.ts
@@ -117,6 +117,8 @@ import { AttachmentResponse } from "../vault/models/response/attachment.response
 import { CipherResponse } from "../vault/models/response/cipher.response";
 import { OptionalCipherResponse } from "../vault/models/response/optional-cipher.response";

+import { InsecureUrlNotAllowedError } from "./api-errors";
+
 export type HttpOperations = {
  createRequest: (url: string, request: RequestInit) => Request;
 };
@@ -1310,6 +1312,10 @@ export class ApiService implements ApiServiceAbstraction {
  }

  async fetch(request: Request): Promise<Response> {
+    if (!request.url.startsWith("https://") && !this.platformUtilsService.isDev()) {
+      throw new InsecureUrlNotAllowedError();
+    }
+
    if (request.method === "GET") {
      request.headers.set("Cache-Control", "no-store");
      request.headers.set("Pragma", "no-cache");