Hello,
I recently configured Vaultwarden behind a Content Security Policy.
For Vaultwarden to work, you have to allow the execution of ‘unsafe-inline’ scripts.
At the same time this is a major security risk for the entire service.
I wonder why there’s no discussion about this because everyone should have that problem.
Probably without even realizing.
The unsafe-inline for script-src is only active for the /admin panel and not the rest of the web-vault interface.
So, there shouldn’t be an issue using the web-vault is self.
Currently changing the admin interface to have on inline script isn’t a prio, so i do not think this will happen really soon.
Also, if you configure it your self, you probably overwrite the one from Vaultwarden, and you may miss CSP config’s to have the web-vault working correctly.
So if I put another CSP on top the two are going to be active at the same time?
Meaning that when I specify my script-src to allow unsafe-inline it will get cancelled by the Vaultwarden one (only on the Vault)?