[RCU] Content Security Policy for Roundcube

James Brown jlbrown at bordo.com.au
Fri Oct 11 07:55:31 CEST 2019


Good suggestion.

Unfortunately it still doesn’t work.

In http.conf I put:

<Directory “path/to/sites/roundcube”
	AllowOverride All
</Directory>

But I would always get “.../roundcube/.htaccess: Header not allowed here” 

So commented everything out of roundcube/.htaccess and in http.conf I put:

<Directory "path/to/sites/roundcube">
	AllowOverride All
	#Header unset Content-Security-Policy
	Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'unsafe-inline' 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content"
</Directory>

But still get:

[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. (roundcube, line 17)
[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. (roundcube, line 57)

Maddening!

James.

> On 11 Oct 2019, at 12:02 am, @lbutlr <kremels at kreme.com> wrote:
> 
> On Oct 9, 2019, at 11:46 PM, James Brown <jlbrown at bordo.com.au> wrote:
>> I think you could be right Thomas, as whatever I put into the .htaccess file doesn’t seem to make a difference.
> 
> Sounds like your .htaccess file is not being processed then.
> 
> What is the AllowOverride directive in your http.conf for the roundcube directory or parent directory.
> 
> For example, my roundcube install is in /usr/local/www/roundcube and in http.conf I have 
> 
> <Directory "/usr/local/www”>
>  . . . stuff
>  AllowOverride All
>  . . . stuff
> </Directory>
> 
> 
> 
> -- 
> The thing standing in the way of your dreams is that the person having them is
> *you* https://xkcd.com/1027/
> 
> _______________________________________________
> Roundcube Users mailing list
> users at lists.roundcube.net
> http://lists.roundcube.net/mailman/listinfo/users


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4688 bytes
Desc: not available
URL: <http://lists.roundcube.net/pipermail/users/attachments/20191011/6d5a1612/attachment.bin>


More information about the users mailing list