[RCU] Content Security Policy for Roundcube

David Mehler dave.mehler at gmail.com
Wed Oct 9 23:29:00 CEST 2019


Here's some options I've set in my apache configuration and for my
setup roundcube does show messages.


Header always set X-Frame-Options SAMEORIGIN

# Prevent Cross Site Scripting (XSS)
Header set X-XSS-Protection "1; mode=block"

# Prevent Mime Types Security risks
Header always set X-Content-Type-Options nosniff

# Content-Security-Policy
Header always set Content-Security-Policy "default-src 'self';
script-src 'self'; connect-src 'self'; img-src 'self'; style-src
'self'; frame-ancestors 'self'"

# Cross-domain-policy
Header set X-Permitted-Cross-Domain-Policies "none"

# Referer policy
Header always set Referrer-Policy "strict-origin"

# expect-ct policy
Header always set Expect-CT 'enforce, max-age=43200'

On 10/9/19, roundcube--lists at thomas.freit.ag
<roundcube--lists at thomas.freit.ag> wrote:
> Hi James,
> my guess is, that the header configured in your .htaccess file is not
> overriding the one set in
> http.conf. You can easily check this with Firefox or Chrome dev tools in the
> network tab.
> Unfortunately Apache httpd documentation (@
> https://httpd.apache.org/docs/current/mod/mod_headers.html) does not.
> On 09.10.19 09:38, James Brown wrote:
>> Still can’t get this to work.
>> I’m using the .htaccess file in my roundcube/ root.
>> Ie to override the CSP headers in http.conf (for all that Apache serves).
>> No matter what I put I still get no messages in the mailboxes.
>> Javascript Console shows:
>> Refused to execute a script because its hash, its nonce, or
>> 'unsafe-inline' appears in neither the script-src directive nor the
>> default-src directive of the Content Security Policy.
>> roundcube:57
>> In apache_root/roundcube/.htaccess I have:
>> Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src
>> 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline';
>> img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors
>> 'self'; base-uri 'self'; form-action 'self';referrer no-referrer"
> I would suggest to use "Header always set ..." or "Header unset
> Content-Security-Policy" before
> setting it with a new value.
>> httpd.conf has:
>> Header set Content-Security-Policy "default-src 'self'; form-action
>> 'self'; frame-ancestors 'self'; base-uri 'self'; report-uri
>> https://bordo.report-uri.com/r/d/csp/wizard"
> My CSP header value is "default-src 'self'; script-src 'self'
> 'unsafe-inline' 'unsafe-eval';
> style-src 'unsafe-inline' 'self'; form-action 'self';
> upgrade-insecure-requests;
> block-all-mixed-content; report-uri....". Works for latest 1.3.x and
> 1.4.x-RC, with httpd 2.4.38
> "header set" in my .htaccess is sufficient to set it.
> hth,
> Thomas
> _______________________________________________
> Roundcube Users mailing list
> users at lists.roundcube.net
> http://lists.roundcube.net/mailman/listinfo/users

More information about the users mailing list