[RCU] Content Security Policy for Roundcube
jlbrown at bordo.com.au
Fri Oct 11 07:55:31 CEST 2019
Unfortunately it still doesn’t work.
In http.conf I put:
But I would always get “.../roundcube/.htaccess: Header not allowed here”
So commented everything out of roundcube/.htaccess and in http.conf I put:
#Header unset Content-Security-Policy
Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'unsafe-inline' 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content"
But still get:
[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. (roundcube, line 17)
[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. (roundcube, line 57)
> On 11 Oct 2019, at 12:02 am, @lbutlr <kremels at kreme.com> wrote:
> On Oct 9, 2019, at 11:46 PM, James Brown <jlbrown at bordo.com.au> wrote:
>> I think you could be right Thomas, as whatever I put into the .htaccess file doesn’t seem to make a difference.
> Sounds like your .htaccess file is not being processed then.
> What is the AllowOverride directive in your http.conf for the roundcube directory or parent directory.
> For example, my roundcube install is in /usr/local/www/roundcube and in http.conf I have
> <Directory "/usr/local/www”>
> . . . stuff
> AllowOverride All
> . . . stuff
> The thing standing in the way of your dreams is that the person having them is
> *you* https://xkcd.com/1027/
> Roundcube Users mailing list
> users at lists.roundcube.net
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4688 bytes
Desc: not available
More information about the users