vaultwarden server responds with these headers:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Cache-Control: public, max-age=600
Server: Rocket
Feature-Policy: accelerometer ‘none’; ambient-light-sensor ‘none’; autoplay ‘none’; camera ‘none’; encrypted-media ‘none’; fullscreen ‘none’; geolocation ‘none’; gyroscope ‘none’; magnetometer ‘none’; microphone ‘none’; midi ‘none’; payment ‘none’; picture-in-picture ‘none’; sync-xhr ‘self’ https://haveibeenpwned.com https://2fa.directory; usb ‘none’; vr ‘none’
Referrer-Policy: same-origin
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: frame-ancestors ‘self’ chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* ;
Content-Length: 1181
Date: Mon, 08 Nov 2021 10:30:18 GMT
We discovered a problem for fido2 webauth authorization with 2 headers: X-Frame-Options and Content-Security-Policy
if we disable the following directives on reverse proxy, fido2 authentication works:
proxy_hide_header Content-Security-Policy;
proxy_hide_header X-Frame-Options;
it’s just a workaround and disabling it is probably not good from a security perspective
this should be fixed in the desktop app
e.g.
github/dani-garcia/vaultwarden/pull/293