[RCU] Content Security Policy for Roundcube

James Brown jlbrown at bordo.com.au
Thu Oct 31 01:46:50 CET 2019


Finally got this to work.

In http.conf I put:

<Directory “/parth/to/roundcube">
	AllowOverride All
	Options +Indexes
</Directory>

Then created /path/to/roundcube/.htaccess and it has:

Header unset Content-Security-Policy
Header always set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'"

Not sure if the first line with the ‘unset’ is needed.

After restarting Apache it works.

Hope that helps someone else.

James.


> On 11 Oct 2019, at 4:55 pm, James Brown <jlbrown at bordo.com.au> wrote:
> 
> Good suggestion.
> 
> Unfortunately it still doesn’t work.
> 
> In http.conf I put:
> 
> <Directory “path/to/sites/roundcube”
> 	AllowOverride All
> </Directory>
> 
> But I would always get “.../roundcube/.htaccess: Header not allowed here” 
> 
> So commented everything out of roundcube/.htaccess and in http.conf I put:
> 
> <Directory "path/to/sites/roundcube">
> 	AllowOverride All
> 	#Header unset Content-Security-Policy
> 	Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'unsafe-inline' 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content"
> </Directory>
> 
> But still get:
> 
> [Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. (roundcube, line 17)
> [Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. (roundcube, line 57)
> 
> Maddening!
> 
> James.
> 
>> On 11 Oct 2019, at 12:02 am, @lbutlr <kremels at kreme.com> wrote:
>> 
>> On Oct 9, 2019, at 11:46 PM, James Brown <jlbrown at bordo.com.au> wrote:
>>> I think you could be right Thomas, as whatever I put into the .htaccess file doesn’t seem to make a difference.
>> 
>> Sounds like your .htaccess file is not being processed then.
>> 
>> What is the AllowOverride directive in your http.conf for the roundcube directory or parent directory.
>> 
>> For example, my roundcube install is in /usr/local/www/roundcube and in http.conf I have 
>> 
>> <Directory "/usr/local/www”>
>> . . . stuff
>> AllowOverride All
>> . . . stuff
>> </Directory>
>> 
>> 
>> 
>> -- 
>> The thing standing in the way of your dreams is that the person having them is
>> *you* https://xkcd.com/1027/
>> 
>> _______________________________________________
>> Roundcube Users mailing list
>> users at lists.roundcube.net
>> http://lists.roundcube.net/mailman/listinfo/users
> 
> 
> _______________________________________________
> Roundcube Users mailing list
> users at lists.roundcube.net
> http://lists.roundcube.net/mailman/listinfo/users


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4688 bytes
Desc: not available
URL: <http://lists.roundcube.net/pipermail/users/attachments/20191031/41a56573/attachment.bin>


More information about the users mailing list