[RCU] Content Security Policy for Roundcube

James Brown jlbrown at bordo.com.au
Thu Oct 10 07:46:42 CEST 2019

I think you could be right Thomas, as whatever I put into the .htaccess file doesn’t seem to make a difference.

Even tried putting:

<Directory “apache_root/roundcube">
	Header unset Content-Security-Policy

In https.conf to no avail.


> On 10 Oct 2019, at 6:06 am, roundcube--lists at thomas.freit.ag wrote:
> Hi James,
> my guess is, that the header configured in your .htaccess file is not overriding the one set in
> http.conf. You can easily check this with Firefox or Chrome dev tools in the network tab.
> Unfortunately Apache httpd documentation (@
> https://httpd.apache.org/docs/current/mod/mod_headers.html <https://httpd.apache.org/docs/current/mod/mod_headers.html>) does not.
> On 09.10.19 09:38, James Brown wrote:
>> Still can’t get this to work.
>> I’m using the .htaccess file in my roundcube/ root.
>> Ie to override the CSP headers in http.conf (for all that Apache serves).
>> No matter what I put I still get no messages in the mailboxes.
>> Javascript Console shows:
>> Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
>> roundcube:57
>> In apache_root/roundcube/.htaccess I have:
>> Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';referrer no-referrer"
> I would suggest to use "Header always set ..." or "Header unset Content-Security-Policy" before
> setting it with a new value.
>> httpd.conf has:
>> Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; report-uri https://bordo.report-uri.com/r/d/csp/wizard <https://bordo.report-uri.com/r/d/csp/wizard>"
> My CSP header value is "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';
> style-src 'unsafe-inline' 'self'; form-action 'self'; upgrade-insecure-requests;
> block-all-mixed-content; report-uri....". Works for latest 1.3.x and 1.4.x-RC, with httpd 2.4.38
> "header set" in my .htaccess is sufficient to set it.
> hth,
> Thomas
> _______________________________________________
> Roundcube Users mailing list
> users at lists.roundcube.net <mailto:users at lists.roundcube.net>
> http://lists.roundcube.net/mailman/listinfo/users <http://lists.roundcube.net/mailman/listinfo/users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.roundcube.net/pipermail/users/attachments/20191010/35d0aa8e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4688 bytes
Desc: not available
URL: <http://lists.roundcube.net/pipermail/users/attachments/20191010/35d0aa8e/attachment-0001.bin>

More information about the users mailing list