Hi so after some testing, it looks like the lighttpd setting:

setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=63072000; includeSubDomains", "X-Frame-Options" => "DENY" )

in particular: "X-Frame-Options" => "DENY"

was causing the issue.

There is some bug tracking about it and roundcube ( http://trac.roundcube.net/ticket/1487037 ) and it is also documented in the 'defaults.inc.php' file:

// X-Frame-Options HTTP header value sent to prevent from Clickjacking. // Possible values: sameorigin|deny. Set to false in order to disable sending them $config['x_frame_options'] = 'sameorigin';

anyway, could you please suggest the best setting of both roundcube and lighttpd ? (should lighttpd be set to 'sameorigin' or should roundcube be set to 'deny' ?)

Thanks for supporting! RuggedInbox team

On 2014-08-21 13:42, ml@ruggedinbox.com wrote:

Hi all! We recently improved our https configuration on lighttpd: https://www.ssllabs.com/ssltest/analyze.html?d=ruggedinbox.com but something seems to have broken roundcube .. can't properly attach files, can't send emails, sometimes can't logout.

We are pointing the finger at ssl because when using roundcube as a Tor hidden service (thus bypassing ssl), everything works ok and smooth.

Try yourself: username: demo password: demo11 under ssl: https://ruggedinbox.com/rc as a Tor hidden service: http://s4bysmmsnraf7eut.onion/rc

What do you think ?

Thanks for supporting! RuggedInbox team