[RCU] Content Security Policy for Roundcube

James Brown jlbrown at bordo.com.au
Wed Oct 9 09:38:01 CEST 2019

Still can’t get this to work.

I’m using the .htaccess file in my roundcube/ root.

Ie to override the CSP headers in http.conf (for all that Apache serves).

No matter what I put I still get no messages in the mailboxes.

Javascript Console shows:

Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.

In apache_root/roundcube/.htaccess I have:

Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';referrer no-referrer"

httpd.conf has:

Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; report-uri https://bordo.report-uri.com/r/d/csp/wizard"

Any suggestions?



> On 27 Jul 2019, at 7:32 am, David Mehler <dave.mehler at gmail.com> wrote:
> Hello,
> I am also interested in an answer to this question. For my setup I have:
> # Content-Security-Policy
> Header set Content-Security-Policy "default-src 'self';"
> I have no idea if this is right or complete.
> I'm also interested in the best settings for these headers:
> # Prevent ClickJacking
> # Deny outright
> #Header always set X-Frame-Options DENY
> # Roundcube needs this for displaying messages in tabs
> Header always set X-Frame-Options SAMEORIGIN
> # Prevent Cross Site Scripting (XSS)
> Header set X-XSS-Protection "1; mode=block"
> # Prevent Mime Types Security risks
> Header always set X-Content-Type-Options nosniff
> # Cross-domain-policy
> Header set X-Permitted-Cross-Domain-Policies "none"
> # Referer policy
> Header set Referrer-Policy "strict-origin"
> Thanks.
> Dave.
> On 7/25/19, James Brown <jlbrown at bordo.com.au> wrote:
>> Turning on 'Show Javascript Console' from Safari Develop menu showed me that
>> my Content Security Policy was preventing emails displaying in mailboxes.
>> Additionally at logout I get the message
>> "PHP Error: Request security check failed
>> For your protection, access to this resource is secured against CSRF.
>> If you see this, you probably didn't log out before leaving the web
>> application.
>> Human interaction is now required to continue."
>> Please contact your server-administrator.
>> Commenting out the CSP line in https.conf fixed it.
>> Currently using:
>> Header set Content-Security-Policy "default-src 'self'; form-action 'self';
>> frame-ancestors 'self'; base-uri ‘self'
>> Which fails.
>> Is there a recommended CSP for Roundcube?
>> thanks,
>> James.
>> _______________________________________________
>> Roundcube Users mailing list
>> users at lists.roundcube.net
>> http://lists.roundcube.net/mailman/listinfo/users
> _______________________________________________
> Roundcube Users mailing list
> users at lists.roundcube.net
> http://lists.roundcube.net/mailman/listinfo/users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4688 bytes
Desc: not available
URL: <http://lists.roundcube.net/pipermail/users/attachments/20191009/468c2a36/attachment.bin>

More information about the users mailing list