[RCU] Content Security Policy for Roundcube
jlbrown at bordo.com.au
Wed Oct 9 09:38:01 CEST 2019
Still can’t get this to work.
I’m using the .htaccess file in my roundcube/ root.
Ie to override the CSP headers in http.conf (for all that Apache serves).
No matter what I put I still get no messages in the mailboxes.
Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
In apache_root/roundcube/.htaccess I have:
Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';referrer no-referrer"
Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; report-uri https://bordo.report-uri.com/r/d/csp/wizard"
> On 27 Jul 2019, at 7:32 am, David Mehler <dave.mehler at gmail.com> wrote:
> I am also interested in an answer to this question. For my setup I have:
> # Content-Security-Policy
> Header set Content-Security-Policy "default-src 'self';"
> I have no idea if this is right or complete.
> I'm also interested in the best settings for these headers:
> # Prevent ClickJacking
> # Deny outright
> #Header always set X-Frame-Options DENY
> # Roundcube needs this for displaying messages in tabs
> Header always set X-Frame-Options SAMEORIGIN
> # Prevent Cross Site Scripting (XSS)
> Header set X-XSS-Protection "1; mode=block"
> # Prevent Mime Types Security risks
> Header always set X-Content-Type-Options nosniff
> # Cross-domain-policy
> Header set X-Permitted-Cross-Domain-Policies "none"
> # Referer policy
> Header set Referrer-Policy "strict-origin"
> On 7/25/19, James Brown <jlbrown at bordo.com.au> wrote:
>> my Content Security Policy was preventing emails displaying in mailboxes.
>> Additionally at logout I get the message
>> "PHP Error: Request security check failed
>> REQUEST CHECK FAILED
>> For your protection, access to this resource is secured against CSRF.
>> If you see this, you probably didn't log out before leaving the web
>> Human interaction is now required to continue."
>> Please contact your server-administrator.
>> Commenting out the CSP line in https.conf fixed it.
>> Currently using:
>> Header set Content-Security-Policy "default-src 'self'; form-action 'self';
>> frame-ancestors 'self'; base-uri ‘self'
>> Which fails.
>> Is there a recommended CSP for Roundcube?
>> Roundcube Users mailing list
>> users at lists.roundcube.net
> Roundcube Users mailing list
> users at lists.roundcube.net
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4688 bytes
Desc: not available
More information about the users