[RCU] Content Security Policy for Roundcube

David Mehler dave.mehler at gmail.com
Fri Jul 26 23:32:00 CEST 2019


Hello,

I am also interested in an answer to this question. For my setup I have:

# Content-Security-Policy
Header set Content-Security-Policy "default-src 'self';"

I have no idea if this is right or complete.

I'm also interested in the best settings for these headers:

# Prevent ClickJacking
# Deny outright
#Header always set X-Frame-Options DENY
# Roundcube needs this for displaying messages in tabs
Header always set X-Frame-Options SAMEORIGIN

# Prevent Cross Site Scripting (XSS)
Header set X-XSS-Protection "1; mode=block"

# Prevent Mime Types Security risks
Header always set X-Content-Type-Options nosniff

# Cross-domain-policy
Header set X-Permitted-Cross-Domain-Policies "none"

# Referer policy
Header set Referrer-Policy "strict-origin"

Thanks.
Dave.


On 7/25/19, James Brown <jlbrown at bordo.com.au> wrote:
> Turning on 'Show Javascript Console' from Safari Develop menu showed me that
> my Content Security Policy was preventing emails displaying in mailboxes.
>
> Additionally at logout I get the message
>
> "PHP Error: Request security check failed
> REQUEST CHECK FAILED
> For your protection, access to this resource is secured against CSRF.
> If you see this, you probably didn't log out before leaving the web
> application.
>
> Human interaction is now required to continue."
> Please contact your server-administrator.
>
> Commenting out the CSP line in https.conf fixed it.
>
> Currently using:
>
> Header set Content-Security-Policy "default-src 'self'; form-action 'self';
> frame-ancestors 'self'; base-uri ‘self'
>
> Which fails.
>
> Is there a recommended CSP for Roundcube?
>
> thanks,
>
> James.
> _______________________________________________
> Roundcube Users mailing list
> users at lists.roundcube.net
> http://lists.roundcube.net/mailman/listinfo/users


More information about the users mailing list