[RCU] Content Security Policy for Roundcube

roundcube--lists at thomas.freit.ag roundcube--lists at thomas.freit.ag
Wed Oct 9 21:06:34 CEST 2019

Hi James,

my guess is, that the header configured in your .htaccess file is not overriding the one set in
http.conf. You can easily check this with Firefox or Chrome dev tools in the network tab.
Unfortunately Apache httpd documentation (@
https://httpd.apache.org/docs/current/mod/mod_headers.html) does not.

On 09.10.19 09:38, James Brown wrote:
> Still can’t get this to work.
> I’m using the .htaccess file in my roundcube/ root.
> Ie to override the CSP headers in http.conf (for all that Apache serves).
> No matter what I put I still get no messages in the mailboxes.
> Javascript Console shows:
> Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
> roundcube:57
> In apache_root/roundcube/.htaccess I have:
> Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';referrer no-referrer"

I would suggest to use "Header always set ..." or "Header unset Content-Security-Policy" before
setting it with a new value.

> httpd.conf has:
> Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; report-uri https://bordo.report-uri.com/r/d/csp/wizard"

My CSP header value is "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'unsafe-inline' 'self'; form-action 'self'; upgrade-insecure-requests;
block-all-mixed-content; report-uri....". Works for latest 1.3.x and 1.4.x-RC, with httpd 2.4.38
"header set" in my .htaccess is sufficient to set it.


More information about the users mailing list