Finally got this to work.
In http.conf I put:
<Directory “/parth/to/roundcube"> AllowOverride All Options +Indexes
</Directory>
Then created /path/to/roundcube/.htaccess and it has:
Header unset Content-Security-Policy Header always set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'"
Not sure if the first line with the ‘unset’ is needed.
After restarting Apache it works.
Hope that helps someone else.
James.
On 11 Oct 2019, at 4:55 pm, James Brown jlbrown@bordo.com.au wrote:
Good suggestion.
Unfortunately it still doesn’t work.
In http.conf I put:
<Directory “path/to/sites/roundcube” AllowOverride All
</Directory>
But I would always get “.../roundcube/.htaccess: Header not allowed here”
So commented everything out of roundcube/.htaccess and in http.conf I put:
<Directory "path/to/sites/roundcube"> AllowOverride All #Header unset Content-Security-Policy Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'unsafe-inline' 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content"
</Directory>
But still get:
[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. (roundcube, line 17) [Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. (roundcube, line 57)
Maddening!
James.
On 11 Oct 2019, at 12:02 am, @lbutlr kremels@kreme.com wrote:
On Oct 9, 2019, at 11:46 PM, James Brown jlbrown@bordo.com.au wrote:
I think you could be right Thomas, as whatever I put into the .htaccess file doesn’t seem to make a difference.
Sounds like your .htaccess file is not being processed then.
What is the AllowOverride directive in your http.conf for the roundcube directory or parent directory.
For example, my roundcube install is in /usr/local/www/roundcube and in http.conf I have
<Directory "/usr/local/www”> . . . stuff AllowOverride All . . . stuff
</Directory>
-- The thing standing in the way of your dreams is that the person having them is *you* https://xkcd.com/1027/
Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users