[RCU] Content Security Policy for Roundcube

Turning on 'Show Javascript Console' from Safari Develop menu showed me that my Content Security Policy was preventing emails displaying in mailboxes.

Additionally at logout I get the message

"PHP Error: Request security check failed REQUEST CHECK FAILED For your protection, access to this resource is secured against CSRF. If you see this, you probably didn't log out before leaving the web application.

Human interaction is now required to continue." Please contact your server-administrator.

Commenting out the CSP line in https.conf fixed it.

Currently using:

Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri ‘self'

Which fails.

Is there a recommended CSP for Roundcube?

thanks,

James.