Maybe someone can help here. I have bitwardenRS running happily behind Traefik reverse proxy. I can successfully login via the web vault, desktop apps on Mac OSX, and browser plugins for Chrome, Firefox, and mobile apps on iOS.
Only the Safari plugin won’t play ball and spits out the following error when trying to login:
Origin file:// is not allowed by Access-Control-Allow-Origin.
Same is happening to me.
I can log in every other browser extension, desktop app and mobile app, but Safari Extension gives me the same error and I can’t see anything in the portainer logs.
I have tested it with and without these changes using the latest Bitwarden version, but i’m not having issues. I can sync without trouble. Since bitwarden_rs already returns ‘*’ as the allowed CORS instead of the specific requested file://.
Thus it could be that the reverse proxy is doing something which removes or changes these headers?
I have tested the patch also, it does also work, but i’m not seeing any difference in the plugin in Safari.
It would be nice if someone could test the Bitwarden Plugin in Safari using the Developer Console to see what happens.
For this you need to:
Enable the Show Develop menu in menu bar option under the Advanced settings of Safari.
Then open the Bitwarden Extension by clicking on the icon.
Right-click somewhere in the bitwarden pop-up and click on Inspect Element
This will open a new window where you will see the output, errors, network traffic etc… from the bitwarden extension.
Now try to login, sync etc… and see what requests are sent and received.
I think the CORS headers are not being returned at all currently, even though the current version of bitwarden_rs already does this.
Below you see a screenshot of how it could look like.
@ein_radler, @thewinger and @Roadrunner, could you please try to provide some more information as i requested in my previous post? I have tested this, and it seemed to work for me without any adjustments. That doesn’t say your configuration is bad, but i think we need more information before we can have a good answer.
It could be the reverse proxy in between is changing something for example.
[http.middlewares.middlewares-secure-headers]
[http.middlewares.middlewares-secure-headers.headers]
accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
accessControlMaxAge = 100
hostsProxyHeaders = ["X-Forwarded-Host"]
sslRedirect = true
stsSeconds = 63072000
stsIncludeSubdomains = true
stsPreload = true
forceSTSHeader = true
# frameDeny = true #overwritten by customFrameOptionsValue
customFrameOptionsValue = "allow-from https:example.com" #CSP takes care of this but may be needed for organizr.
contentTypeNosniff = true
browserXssFilter = true
# sslForceHost = true # add sslHost to all of the services
# sslHost = "example.com"
referrerPolicy = "same-origin"
# Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
# the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
# contentSecurityPolicy = "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
featurePolicy = "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none';"
[http.middlewares.middlewares-secure-headers.headers.customResponseHeaders]
X-Robots-Tag = "none,noarchive,nosnippet,notranslate,noimageindex,"
server = ""
Not really familiar with Traefik, but it looks like it’s dropping the Access-Control-Allow-Origin header in the response for some reason. You could probably add it manually using
Thank you for pointing me to the answer.
I commented out the middleware I was using and added the ones from your link and now is logging in in Safari Extension.
