From 839d89e0b445aa80e6598ae59778610556dbe6ae Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kspearrin@users.noreply.github.com>
Date: Fri, 4 Nov 2022 10:26:30 -0400
Subject: [PATCH] add csp and only pass hostname to duo init (#3972)

* add csp and only pass hostname to duo init

* expand style-src

* Update apps/web/src/connectors/duo.html

Co-authored-by: Oscar Hinton <Hinton@users.noreply.github.com>

Co-authored-by: Oscar Hinton <Hinton@users.noreply.github.com>
---
 apps/web/src/connectors/duo.html | 4 ++++
 apps/web/src/connectors/duo.ts   | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/apps/web/src/connectors/duo.html b/apps/web/src/connectors/duo.html
index b58587baa0..af766b22d9 100644
--- a/apps/web/src/connectors/duo.html
+++ b/apps/web/src/connectors/duo.html
@@ -6,6 +6,10 @@
       name="viewport"
       content="initial-scale=1, maximum-scale=1, user-scalable=no, width=device-width"
     />
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="default-src 'self'; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com;"
+    />
     <title>Bitwarden Duo Connector</title>
   </head>
 
diff --git a/apps/web/src/connectors/duo.ts b/apps/web/src/connectors/duo.ts
index 96b129585f..b041c0d6a2 100644
--- a/apps/web/src/connectors/duo.ts
+++ b/apps/web/src/connectors/duo.ts
@@ -23,7 +23,7 @@ document.addEventListener("DOMContentLoaded", () => {
 
   DuoWebSDK.init({
     iframe: "duo_iframe",
-    host: hostParam,
+    host: hostUrl.hostname,
     sig_request: requestParam,
     submit_callback: (form: any) => {
       invokeCSCode(form.elements.sig_response.value);