WebAuthn broken on clients for Unified server

[Skimige]

Steps To Reproduce

1. Logout from Windows Client (for example), reset session from web vault if necessary
2. Try to login from Windows Client
3. At "FIDO2 WebAuthn" page, the webauthn-connector.html iframe is refused to be displayed; More details can be checked through Dev Tools

Expected Result

FIDO2 WebAuthn iframe can load and properly prompts user to insert a key / complete 2FA.

Actual Result

Client chromium refuses to display webauthn-connector.html iframe because of X-Frame-Options (and Content-Security-Policy maybe, if X-Frame-Options is removed, not tested, just assumption)

Screenshots or Videos

Additional Context

Request URL:
https://bitwarden.yourdomain.tld/webauthn-connector.html?data=......&&parent=file%253A%252F%252F%252FC%253A%252FUsers%252F<Username>%252FAppData%252FLocal%252FPrograms%252FBitwarden%252Fresources%252Fapp.asar%252Findex.html%2523%252F2fa&btnText=%25E9%25AA%258C%25E8%25AF%2581%2520WebAuthn&v=1

Response Headers captured from Dev Tools:

alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
cf-cache-status: DYNAMIC
cf-ray: 78410202d8a607a9-HKG
content-encoding: br
content-security-policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; connect-src 'self' https://api.pwnedpasswords.com https://2fa.directory; object-src 'self' blob:;
content-type: text/html
date: Wed, 04 Jan 2023 03:50:04 GMT
last-modified: Tue, 13 Dec 2022 20:45:32 GMT
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
referrer-policy: same-origin
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dka5Wf3VV7vqP0WipAGFXm7Sh8lmfq4N%2F9fKUoW%2BS%2BIKmJaQXhquUXVFpmvr9AK%2BQEZ6DkxlkBuix9yib0TC%2FM3tUIFY%2FE%2BPF%2FjWk%2B7QdUQDfr%2BbFMctBCCJagK8LNax9tHc%2Bj9zfpSWikElGFlbBg%3D%3D"}],"group":"cf-nel","max_age":604800}
server: cloudflare
strict-transport-security: max-age=15552000
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-robots-tag: noindex, nofollow
x-xss-protection: 1; mode=block

I have a temporary workaround to fix this, which is to modify the nginx config inside the docker container. I create this by checking difference of unified nginx hbs template and normal nginx hbs template.
(not a generated diff, self-formartted)

   location = /app-id.json {
     root /app/Web;
     include /etc/nginx/security-headers.conf;
     proxy_hide_header Content-Type;
     add_header Content-Type $fido_content_type;
   }
 
+  location = /duo-connector.html {
+    root /app/Web;
+    include /etc/nginx/security-headers.conf;
+    add_header X-Robots-Tag "noindex, nofollow";
+  }
+
+  location = /webauthn-connector.html {
+    root /app/Web;
+    include /etc/nginx/security-headers.conf;
+    add_header X-Robots-Tag "noindex, nofollow";
+  }
+
+  location = /webauthn-fallback-connector.html {
+    root /app/Web;
+    include /etc/nginx/security-headers.conf;
+    add_header X-Robots-Tag "noindex, nofollow";
+  }
+
+  location = /sso-connector.html {
+    root /app/Web;
+    include /etc/nginx/security-headers.conf;
+    add_header X-Robots-Tag "noindex, nofollow";
+  }
+
   location /attachments {
     alias /etc/bitwarden/attachments/;
   }

In the actual case, the hbs template should be updated to fix this issue. In the master branch, the config template does not change

I don't create a pull request directly because I'm not that familiar with nginx and I think the temporary workaround does not look concise.

Githash Version

455d62e-dirty

Environment Details

• OS: Debian 11 inside Proxmox VE (KVM virt)
• Docker Version: 5:20.10.22~3-0~debian-bullseye
• Reverse Proxy: Cloudflare Tunnel (Cloudflare says that they won't modify CSP header; they didn't modify XFO header too I guess)

Database Image

madiadb:10

Issue-Link

#2480

Issue Tracking Info

• I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[justindbaur]

Your assessment looks good and is probably what we will want. You can similarly see those in the standard deployments file. @vgrassia should we add these to the template?

server/util/Setup/Templates/NginxConfig.hbs

Lines 82 to 101 in 5036304

	include /etc/nginx/security-headers.conf;
	proxy_hide_header Content-Type;
	add_header Content-Type $fido_content_type;
	}
	location = /duo-connector.html {
	proxy_pass http://web:5000/duo-connector.html;
	}
	location = /webauthn-connector.html {
	proxy_pass http://web:5000/webauthn-connector.html;
	}
	location = /webauthn-fallback-connector.html {
	proxy_pass http://web:5000/webauthn-fallback-connector.html;
	}
	location = /sso-connector.html {
	proxy_pass http://web:5000/sso-connector.html;
	}