Hello,
I am also interested in an answer to this question. For my setup I have:
# Content-Security-Policy Header set Content-Security-Policy "default-src 'self';"
I have no idea if this is right or complete.
I'm also interested in the best settings for these headers:
# Prevent ClickJacking # Deny outright #Header always set X-Frame-Options DENY # Roundcube needs this for displaying messages in tabs Header always set X-Frame-Options SAMEORIGIN
# Prevent Cross Site Scripting (XSS) Header set X-XSS-Protection "1; mode=block"
# Prevent Mime Types Security risks Header always set X-Content-Type-Options nosniff
# Cross-domain-policy Header set X-Permitted-Cross-Domain-Policies "none"
# Referer policy Header set Referrer-Policy "strict-origin"
Thanks. Dave.
On 7/25/19, James Brown jlbrown@bordo.com.au wrote:
Turning on 'Show Javascript Console' from Safari Develop menu showed me that my Content Security Policy was preventing emails displaying in mailboxes.
Additionally at logout I get the message
"PHP Error: Request security check failed REQUEST CHECK FAILED For your protection, access to this resource is secured against CSRF. If you see this, you probably didn't log out before leaving the web application.
Human interaction is now required to continue." Please contact your server-administrator.
Commenting out the CSP line in https.conf fixed it.
Currently using:
Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri ‘self'
Which fails.
Is there a recommended CSP for Roundcube?
thanks,
James. _______________________________________________ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users