PM-13632: Add support for configuring multiple allowed origins (#6317)

* Add support for configuring multiple allowed origins * Use if/else instead of union * Add conditionals * Added Chromium based extension ID's * format * Update src/Core/Constants.cs Co-authored-by: Matt Bishop <mbishop@bitwarden.com> * remove chromedevelopmentid * format --------- Co-authored-by: Matt Bishop <mbishop@bitwarden.com>
2025-12-18 09:13:19 +00:00 · 2025-10-06 16:15:05 +02:00
parent a15974029e
commit f75ad36770
3 changed files with 34 additions and 1 deletions
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@@ -7,6 +7,7 @@ using System.Security.Claims;
 using System.Security.Cryptography.X509Certificates;
 using AspNetCoreRateLimit;
 using Azure.Messaging.ServiceBus;
+using Bit.Core;
 using Bit.Core.AdminConsole.AbilitiesCache;
 using Bit.Core.AdminConsole.Models.Business.Tokenables;
 using Bit.Core.AdminConsole.Models.Data.EventIntegrations;
@@ -695,8 +696,23 @@ public static class ServiceCollectionExtensions
        {
            options.ServerDomain = new Uri(globalSettings.BaseServiceUri.Vault).Host;
            options.ServerName = "Bitwarden";
-            options.Origins = new HashSet<string> { globalSettings.BaseServiceUri.Vault, };
            options.TimestampDriftTolerance = 300000;
+
+            if (globalSettings.Fido2?.Origins?.Any() == true)
+            {
+                options.Origins = new HashSet<string>(globalSettings.Fido2.Origins);
+            }
+            else
+            {
+                // Default to allowing the vault domain and chromium browser extension IDs
+                options.Origins = new HashSet<string> {
+                    globalSettings.BaseServiceUri.Vault,
+                    Constants.BrowserExtensions.ChromeId,
+                    Constants.BrowserExtensions.EdgeId,
+                    Constants.BrowserExtensions.OperaId
+                 };
+            }
+
        });
    }