[RCU] Content Security Policy for Roundcube
dave.mehler at gmail.com
Fri Jul 26 23:32:00 CEST 2019
I am also interested in an answer to this question. For my setup I have:
Header set Content-Security-Policy "default-src 'self';"
I have no idea if this is right or complete.
I'm also interested in the best settings for these headers:
# Prevent ClickJacking
# Deny outright
#Header always set X-Frame-Options DENY
# Roundcube needs this for displaying messages in tabs
Header always set X-Frame-Options SAMEORIGIN
# Prevent Cross Site Scripting (XSS)
Header set X-XSS-Protection "1; mode=block"
# Prevent Mime Types Security risks
Header always set X-Content-Type-Options nosniff
Header set X-Permitted-Cross-Domain-Policies "none"
# Referer policy
Header set Referrer-Policy "strict-origin"
On 7/25/19, James Brown <jlbrown at bordo.com.au> wrote:
> my Content Security Policy was preventing emails displaying in mailboxes.
> Additionally at logout I get the message
> "PHP Error: Request security check failed
> REQUEST CHECK FAILED
> For your protection, access to this resource is secured against CSRF.
> If you see this, you probably didn't log out before leaving the web
> Human interaction is now required to continue."
> Please contact your server-administrator.
> Commenting out the CSP line in https.conf fixed it.
> Currently using:
> Header set Content-Security-Policy "default-src 'self'; form-action 'self';
> frame-ancestors 'self'; base-uri ‘self'
> Which fails.
> Is there a recommended CSP for Roundcube?
> Roundcube Users mailing list
> users at lists.roundcube.net
More information about the users