Unable to download attachments

We have a self-hosted, docker-based install of Bitwarden with an active premium account. We keep our installation up to date.

We are having issues where we are unable to download attachments. When clicking on the file to download, the progress spinner just goes on and on (for very small files). Has anything like this been reported already?

This is what gets logged in the developer console (some info taken out for privacy):

XHR
GEThttp://bitwarden.domain.com/attachments/6f6df1cd-7dbf-4f12-baee-ab0c0139eb8a/waogzqra3xcozjbcom3dw9wzyid0b2g2
ERROR Error: "Uncaught (in promise): TypeError: NetworkError when attempting to fetch resource.
t.fetch/</d<@https://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:16:703
c</[email protected]://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8:7431
[email protected]://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8:4600
c</[email protected]://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8:7330
a</[email protected]://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8:3439
a</[email protected]://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8:3792
t.fetch/<@https://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:16:628
[email protected]://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8:13933
[email protected]://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:16:586
o</n.prototype.download/</<@https://bitwarden.domain.com/app/main.e7dfe733886d05f0edd0.js:1:1153773
i/</<@https://bitwarden.domain.com/app/main.e7dfe733886d05f0edd0.js:1:1150835
i/<@https://bitwarden.domain.com/app/main.e7dfe733886d05f0edd0.js:1:1150940
t</<@https://bitwarden.domain.com/app/main.e7dfe733886d05f0edd0.js:1:1149853
[email protected]://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8:13933
t<@https://bitwarden.domain.com/app/main.e7dfe733886d05f0edd0.js:1:1149630
o</[email protected]://bitwarden.domain.com/app/main.e7dfe733886d05f0edd0.js:1:1153601
w/<@https://bitwarden.domain.com/app/main.e7dfe733886d05f0edd0.js:1:1999988
[email protected]://bitwarden.domain.com/app/vendor.e7dfe733886d05f0edd0.js:799:1489
[email protected]://bitwarden.domain.com/app/vendor.e7dfe733886d05f0edd0.js:806:1021
[email protected]://bitwarden.domain.com/app/vendor.e7dfe733886d05f0edd0.js:726:1018
qg/<@https://bitwarden.domain.com/app/vendor.e7dfe733886d05f0edd0.js:734:2779
H/<@https://bitwarden.domain.com/app/vendor.e7dfe733886d05f0edd0.js:1453:235
c</[email protected]://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8:7690
[email protected]://bitwarden.domain.com/app/vendor.e7dfe733886d05f0edd0.js:624:999
c</[email protected]://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8:7611
a</[email protected]://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8:2868
s</[email protected]://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8:8797
[email protected]://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:39:632
[email protected]://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:39:875
"
    j https://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8
    T https://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8
    i https://bitwarden.domain.com/app/main.e7dfe733886d05f0edd0.js:1
    invoke https://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8
    onInvoke https://bitwarden.domain.com/app/vendor.e7dfe733886d05f0edd0.js:624
    invoke https://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8
    run https://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8
    F https://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8
    invokeTask https://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8
    onInvokeTask https://bitwarden.domain.com/app/vendor.e7dfe733886d05f0edd0.js:624
    invokeTask https://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8
    runTask https://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8
    y https://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8
    o https://bitwarden.domain.com/app/vendor.e7dfe733886d05f0edd0.js:1590
    D https://bitwarden.domain.com/app/vendor.e7dfe733886d05f0edd0.js:1590
    c https://bitwarden.domain.com/app/vendor.e7dfe733886d05f0edd0.js:1544
    invoke https://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8
    runGuarded https://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8
    wrap https://bitwarden.domain.com/app/polyfills.e7dfe733886d05f0edd0.js:8
vendor.e7dfe733886d05f0edd0.js:566:920
Content Security Policy: The page’s settings blocked the loading of a resource at http://bitwarden.domain.com/attachments/6f6df1cd-7dbf-4f12-baee-ab0c0139eb8a/waogzqra3xcozjbcom3dw9wzyid0b2g2 (“connect-src”).

HI, any news about that?
self-hosted on synology sam problem with csp,

I was given this by their support. It worked. But I have a docker setup (not sure if that is the case for you on Synology).

You will need to edit the file ./bwdata/nginx/default.conf and look for add_header Content-Security-Policy. Please add https://*.yourdomain.com as a self connect-src inside the Content-Security-Policy. You will now need to restart the Bitwarden Server and give it a test.

So for my case, my change was as follows:

...
  location / {
    proxy_pass http://web:5000/;
    include /etc/nginx/security-headers.conf;
    add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; child-src 'self' https://*.duosecurity.com; frame-src 'self' https://*.duosecurity.com; connect-src 'self' wss://bitwarden.mydomain.com https://api.pwnedpasswords.com https://twofactorauth.org; object-src 'self' blob:;";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Robots-Tag "noindex, nofollow";
  }
...

(Notice the wss://bitwarden.mydomain.com). Hope this helps.

can you tell me what exactly you changed? I have the same problem, but in my installation on synology docker the wss://sub.mydomain.com entry is already there. do i have to add another *. entry?
Thx you for your reply.

@waehli have it pretty much like I pasted it on the location block. You may have to check the browser’s developer console to see what domain or address it is giving CSP errors for and then add to the appropriate section.