Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DuckDuckGo not working on Self-Hosted environments (CORS Protected like FireFox) #3798

Closed
BlackDex opened this issue Oct 15, 2022 · 6 comments · Fixed by #3888
Closed

DuckDuckGo not working on Self-Hosted environments (CORS Protected like FireFox) #3798

BlackDex opened this issue Oct 15, 2022 · 6 comments · Fixed by #3888
Labels
bug web

Comments

@BlackDex
Copy link
Contributor

Steps To Reproduce

  1. Go to a self-hosted environment using some private hostname, not something with bitwarden.com
  2. Go to Tools > Generator > Forwarded Email Alias
  3. Select DuckDuckGo, just enter random string, or an actual correct API key of course.
  4. Try to generate.

It will respond with a CORS error.

Expected Result

Either:

  1. A valid response from DuckDuckGo
  2. DuckDuckGo not available for self-hosted environments, the same currently is for the FireFox Relay.

Actual Result

DuckDuckGo option is available but not working.

Screenshots or Videos

image

Additional Context

I also tried this via cURL by using the the request send by vault.bitwarden.com, which does work, and if i change it to anything else, it will not respond with the needed headers. So it looks like DuckDuckGo is CORS protected same as FireFox.

Operating System

Windows, macOS, Linux

Operating System Version

No response

Web Browser

Chrome, Firefox

Browser Version

No response

Build Version

2022.10.0
@Hinton
Copy link
Member

Hinton commented Oct 17, 2022
edited
Loading

Thanks for the report.

This should most likely have been removed from self-hosted. Waiting to hear back from some colleagues first to confirm.

@BlackDex
Copy link
Contributor Author

Though, I find it a bit strange actually. The Mobile client allows FireFox to work, but the web-vault for self-hosted env's has it removed. If i try to access the API manually, it seems to at least respond with an invalid token message.

The only thing which breaks is the CORS part by first sending an OPTIONS call which fails, for some reason, but if I manually send a POST it works.

I haven't worked with the whole CORS backend/frontend that much, so I'm not sure how this should work exactly.

@Hinton
Copy link
Member

Hinton commented Oct 18, 2022

That's how CORS works. The browser sends an OPTION call to check if the website allows clients from another website to make requests. Which protects against potentially stealing sensitive information. https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

@Hinton
Copy link
Member

Hinton commented Oct 21, 2022
edited
Loading

It will be disabled for the web vault on self-hosted instances, but it will still be available on all the other clients.

@justindbaur justindbaur mentioned this issue Oct 24, 2022
Merged
@stefan0xC stefan0xC mentioned this issue Jan 29, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug web
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[PS-1768] Remove DDG forwarder from SH bitwarden/clients
3 participants
@Hinton @BlackDex and others