Still can’t get this to work.
I’m using the .htaccess file in my roundcube/ root.
Ie to override the CSP headers in http.conf (for all that Apache serves).
No matter what I put I still get no messages in the mailboxes.
Javascript Console shows:
Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. roundcube:57
In apache_root/roundcube/.htaccess I have:
Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';referrer no-referrer"
httpd.conf has:
Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; report-uri https://bordo.report-uri.com/r/d/csp/wizard"
Any suggestions?
Thanks,
James.
On 27 Jul 2019, at 7:32 am, David Mehler dave.mehler@gmail.com wrote:
Hello,
I am also interested in an answer to this question. For my setup I have:
# Content-Security-Policy Header set Content-Security-Policy "default-src 'self';"
I have no idea if this is right or complete.
I'm also interested in the best settings for these headers:
# Prevent ClickJacking # Deny outright #Header always set X-Frame-Options DENY # Roundcube needs this for displaying messages in tabs Header always set X-Frame-Options SAMEORIGIN
# Prevent Cross Site Scripting (XSS) Header set X-XSS-Protection "1; mode=block"
# Prevent Mime Types Security risks Header always set X-Content-Type-Options nosniff
# Cross-domain-policy Header set X-Permitted-Cross-Domain-Policies "none"
# Referer policy Header set Referrer-Policy "strict-origin"
Thanks. Dave.
On 7/25/19, James Brown jlbrown@bordo.com.au wrote:
Turning on 'Show Javascript Console' from Safari Develop menu showed me that my Content Security Policy was preventing emails displaying in mailboxes.
Additionally at logout I get the message
"PHP Error: Request security check failed REQUEST CHECK FAILED For your protection, access to this resource is secured against CSRF. If you see this, you probably didn't log out before leaving the web application.
Human interaction is now required to continue." Please contact your server-administrator.
Commenting out the CSP line in https.conf fixed it.
Currently using:
Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri ‘self'
Which fails.
Is there a recommended CSP for Roundcube?
thanks,
James. _______________________________________________ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users