Can't login with Safari plugin Access-Control-Allow-Origin

Hi all,

Maybe someone can help here. I have bitwardenRS running happily behind Traefik reverse proxy. I can successfully login via the web vault, desktop apps on Mac OSX, and browser plugins for Chrome, Firefox, and mobile apps on iOS.
Only the Safari plugin won’t play ball and spits out the following error when trying to login:

Origin file:// is not allowed by Access-Control-Allow-Origin.

I’m running the latest version of the container:


and have the latest version of the desktop client (and as thus the extension installed).

This maybe a Traefik issue and not a BitwardenRS issue but I don’t know where to start looking. Any ideas?


1 Like


Did you managed to fix this issue? I am having the same issue and running through traefik. The desktop application works fine

Same is happening to me.
I can log in every other browser extension, desktop app and mobile app, but Safari Extension gives me the same error and I can’t see anything in the portainer logs.

This PR will hopefully resolve this issue:

I have tested it with and without these changes using the latest Bitwarden version, but i’m not having issues. I can sync without trouble. Since bitwarden_rs already returns ‘*’ as the allowed CORS instead of the specific requested file://.

Thus it could be that the reverse proxy is doing something which removes or changes these headers?

I have tested the patch also, it does also work, but i’m not seeing any difference in the plugin in Safari.
It would be nice if someone could test the Bitwarden Plugin in Safari using the Developer Console to see what happens.

For this you need to:

  • Enable the Show Develop menu in menu bar option under the Advanced settings of Safari.
  • Then open the Bitwarden Extension by clicking on the icon.
  • Right-click somewhere in the bitwarden pop-up and click on Inspect Element

This will open a new window where you will see the output, errors, network traffic etc… from the bitwarden extension.

Now try to login, sync etc… and see what requests are sent and received.
I think the CORS headers are not being returned at all currently, even though the current version of bitwarden_rs already does this.

Below you see a screenshot of how it could look like.

@ein_radler, @thewinger and @Roadrunner, could you please try to provide some more information as i requested in my previous post? I have tested this, and it seemed to work for me without any adjustments. That doesn’t say your configuration is bad, but i think we need more information before we can have a good answer.

It could be the reverse proxy in between is changing something for example.

I did the Safari Web Inspector and this is what it shows when I try to log in.

This is my docker-compose code for Bitwarden:

# Bitwarden - Password Manager
  image: bitwardenrs/server:latest
  container_name: bitwarden
  restart: unless-stopped
    - t2_proxy
    - bw-net
    - $DOCKERDIR/bitwarden:/data
    - /var/log/docker:/var/log/docker
    - /etc/timezone:/etc/timezone:ro
    - /etc/localtime:/etc/localtime:ro
    - DOMAIN=https://bitwarden.$DOMAINNAME
    - LOG_FILE=/data/bitwarden.log
    - LOG_LEVEL=info
    - "traefik.enable=true"
    ## HTTP Routers
    - "traefik.http.routers.bitwarden-rtr.entrypoints=https"
    - "traefik.http.routers.bitwarden-rtr.rule=Host(`bitwarden.$DOMAINNAME`)"
    - "traefik.http.routers.bitwarden-rtr.priority=10"
    ## Middlewares
    - "traefik.http.routers.bitwarden-rtr.middlewares=middlewares-secure-headers@file"
    ## HTTP Services
    - "traefik.http.routers.bitwarden-rtr.service=bitwarden-svc"
    - ""
    ## Bitwarden Websocket
    - "traefik.http.routers.bitwardenHub-rtr.entrypoints=https"
    - "traefik.http.routers.bitwardenHub-rtr.rule=Host(`bitwarden.$DOMAINNAME`) && Path(`/notifications/hub`)"
    - "traefik.http.routers.bitwardenHub-rtr.priority=20"
    - "traefik.http.routers.bitwardenHub-rtr.service=bitwardenHub-svc"
    - ""

And this is the middleware from Traefik v2

    accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
    accessControlMaxAge = 100
    hostsProxyHeaders = ["X-Forwarded-Host"]
    sslRedirect = true
    stsSeconds = 63072000
    stsIncludeSubdomains = true
    stsPreload = true
    forceSTSHeader = true
    #   frameDeny = true #overwritten by customFrameOptionsValue
    customFrameOptionsValue = "allow-from" #CSP takes care of this but may be needed for organizr.
    contentTypeNosniff = true
    browserXssFilter = true
    #    sslForceHost = true # add sslHost to all of the services
    #   sslHost = ""
    referrerPolicy = "same-origin"
    #   Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
    #   the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
    #   contentSecurityPolicy = "frame-ancestors '**';object-src 'none';script-src 'none';"
    featurePolicy = "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none';"
      X-Robots-Tag = "none,noarchive,nosnippet,notranslate,noimageindex,"
      server = ""

Not really familiar with Traefik, but it looks like it’s dropping the Access-Control-Allow-Origin header in the response for some reason. You could probably add it manually using

Also, you should be allowing POST and DELETE methods.

Thank you for pointing me to the answer.
I commented out the middleware I was using and added the ones from your link and now is logging in in Safari Extension.

## Middlewares
## - "traefik.http.routers.bitwarden-rtr.middlewares=middlewares-secure-headers@file"
- "traefik.http.middlewares.bitwarden-mdw.headers.accesscontrolalloworiginlist=*"
- "traefik.http.middlewares.bitwarden-mdw.headers.accesscontrolallowmethods=GET,OPTIONS,PUT,POST,DELETE"