add csp and only pass hostname to duo init (#3972)

* add csp and only pass hostname to duo init

* expand style-src

* Update apps/web/src/connectors/duo.html

Co-authored-by: Oscar Hinton <Hinton@users.noreply.github.com>

Co-authored-by: Oscar Hinton <Hinton@users.noreply.github.com>
This commit is contained in:
Kyle Spearrin 2022-11-04 10:26:30 -04:00 committed by GitHub
parent 6dc846081a
commit 839d89e0b4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 1 deletions

View File

@ -6,6 +6,10 @@
name="viewport" name="viewport"
content="initial-scale=1, maximum-scale=1, user-scalable=no, width=device-width" content="initial-scale=1, maximum-scale=1, user-scalable=no, width=device-width"
/> />
<meta
http-equiv="Content-Security-Policy"
content="default-src 'self'; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com;"
/>
<title>Bitwarden Duo Connector</title> <title>Bitwarden Duo Connector</title>
</head> </head>

View File

@ -23,7 +23,7 @@ document.addEventListener("DOMContentLoaded", () => {
DuoWebSDK.init({ DuoWebSDK.init({
iframe: "duo_iframe", iframe: "duo_iframe",
host: hostParam, host: hostUrl.hostname,
sig_request: requestParam, sig_request: requestParam,
submit_callback: (form: any) => { submit_callback: (form: any) => {
invokeCSCode(form.elements.sig_response.value); invokeCSCode(form.elements.sig_response.value);