Hi,
This is a request that was concluded from the discussion here: Email doesn't work with script-src CSP - #4 by WhatAShame
In order to properly setup CSP, it is necessary to add the ‘unsafe-hashes’ tag because the SMTP test happens inline. It would be better if that inline code was moved to a file for easier ( and more secure? ) content security policy.
Thanks!
Then a lot of other items will also break i think.
Like toggle secrets visibility, database backup, config delete etc…
And also the actions on the user and org, and probably also the diagnostics page.
There is a lot of specific js code per page at the moment. So it will probably not only effect the smtp.
How can you secure your Vaultwarden instance then?
If you allow inline JavaScript (which you are forced to) then you expose your password manager to attacks. Or am I wrong?
As mentioned in the other topic you started already (Allowance of Inline JavaScript poses a security risk), the script-src inline is only allowed for the /admin interface. That interface has no access to the passwords or keys or whatever.
The web-vault has no inline script-src enabled, and thus no issue.