Turning on 'Show Javascript Console' from Safari Develop menu showed me that my Content Security Policy was preventing emails displaying in mailboxes.
Additionally at logout I get the message
"PHP Error: Request security check failed REQUEST CHECK FAILED For your protection, access to this resource is secured against CSRF. If you see this, you probably didn't log out before leaving the web application.
Human interaction is now required to continue." Please contact your server-administrator.
Commenting out the CSP line in https.conf fixed it.
Currently using:
Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri ‘self'
Which fails.
Is there a recommended CSP for Roundcube?
thanks,
James.
Hello,
I am also interested in an answer to this question. For my setup I have:
# Content-Security-Policy Header set Content-Security-Policy "default-src 'self';"
I have no idea if this is right or complete.
I'm also interested in the best settings for these headers:
# Prevent ClickJacking # Deny outright #Header always set X-Frame-Options DENY # Roundcube needs this for displaying messages in tabs Header always set X-Frame-Options SAMEORIGIN
# Prevent Cross Site Scripting (XSS) Header set X-XSS-Protection "1; mode=block"
# Prevent Mime Types Security risks Header always set X-Content-Type-Options nosniff
# Cross-domain-policy Header set X-Permitted-Cross-Domain-Policies "none"
# Referer policy Header set Referrer-Policy "strict-origin"
Thanks. Dave.
On 7/25/19, James Brown jlbrown@bordo.com.au wrote:
Turning on 'Show Javascript Console' from Safari Develop menu showed me that my Content Security Policy was preventing emails displaying in mailboxes.
Additionally at logout I get the message
"PHP Error: Request security check failed REQUEST CHECK FAILED For your protection, access to this resource is secured against CSRF. If you see this, you probably didn't log out before leaving the web application.
Human interaction is now required to continue." Please contact your server-administrator.
Commenting out the CSP line in https.conf fixed it.
Currently using:
Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri ‘self'
Which fails.
Is there a recommended CSP for Roundcube?
thanks,
James. _______________________________________________ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
Still can’t get this to work.
I’m using the .htaccess file in my roundcube/ root.
Ie to override the CSP headers in http.conf (for all that Apache serves).
No matter what I put I still get no messages in the mailboxes.
Javascript Console shows:
Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. roundcube:57
In apache_root/roundcube/.htaccess I have:
Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';referrer no-referrer"
httpd.conf has:
Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; report-uri https://bordo.report-uri.com/r/d/csp/wizard"
Any suggestions?
Thanks,
James.
On 27 Jul 2019, at 7:32 am, David Mehler dave.mehler@gmail.com wrote:
Hello,
I am also interested in an answer to this question. For my setup I have:
# Content-Security-Policy Header set Content-Security-Policy "default-src 'self';"
I have no idea if this is right or complete.
I'm also interested in the best settings for these headers:
# Prevent ClickJacking # Deny outright #Header always set X-Frame-Options DENY # Roundcube needs this for displaying messages in tabs Header always set X-Frame-Options SAMEORIGIN
# Prevent Cross Site Scripting (XSS) Header set X-XSS-Protection "1; mode=block"
# Prevent Mime Types Security risks Header always set X-Content-Type-Options nosniff
# Cross-domain-policy Header set X-Permitted-Cross-Domain-Policies "none"
# Referer policy Header set Referrer-Policy "strict-origin"
Thanks. Dave.
On 7/25/19, James Brown jlbrown@bordo.com.au wrote:
Turning on 'Show Javascript Console' from Safari Develop menu showed me that my Content Security Policy was preventing emails displaying in mailboxes.
Additionally at logout I get the message
"PHP Error: Request security check failed REQUEST CHECK FAILED For your protection, access to this resource is secured against CSRF. If you see this, you probably didn't log out before leaving the web application.
Human interaction is now required to continue." Please contact your server-administrator.
Commenting out the CSP line in https.conf fixed it.
Currently using:
Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri ‘self'
Which fails.
Is there a recommended CSP for Roundcube?
thanks,
James. _______________________________________________ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
On Oct 9, 2019, at 01:50, James Brown jlbrown@bordo.com.au wrote:
Any suggestions?
What happens if there is no htaccess file?
Hi James,
my guess is, that the header configured in your .htaccess file is not overriding the one set in http.conf. You can easily check this with Firefox or Chrome dev tools in the network tab. Unfortunately Apache httpd documentation (@ https://httpd.apache.org/docs/current/mod/mod_headers.html) does not.
On 09.10.19 09:38, James Brown wrote:
Still can’t get this to work.
I’m using the .htaccess file in my roundcube/ root.
Ie to override the CSP headers in http.conf (for all that Apache serves).
No matter what I put I still get no messages in the mailboxes.
Javascript Console shows:
Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. roundcube:57
In apache_root/roundcube/.htaccess I have:
Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';referrer no-referrer"
I would suggest to use "Header always set ..." or "Header unset Content-Security-Policy" before setting it with a new value.
httpd.conf has:
Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; report-uri https://bordo.report-uri.com/r/d/csp/wizard"
My CSP header value is "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'unsafe-inline' 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; report-uri....". Works for latest 1.3.x and 1.4.x-RC, with httpd 2.4.38 "header set" in my .htaccess is sufficient to set it.
hth, Thomas
Hello,
Here's some options I've set in my apache configuration and for my setup roundcube does show messages.
Hth Dave.
Header always set X-Frame-Options SAMEORIGIN
# Prevent Cross Site Scripting (XSS) Header set X-XSS-Protection "1; mode=block"
# Prevent Mime Types Security risks Header always set X-Content-Type-Options nosniff
# Content-Security-Policy Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; frame-ancestors 'self'"
# Cross-domain-policy Header set X-Permitted-Cross-Domain-Policies "none"
# Referer policy Header always set Referrer-Policy "strict-origin"
# expect-ct policy Header always set Expect-CT 'enforce, max-age=43200'
On 10/9/19, roundcube--lists@thomas.freit.ag roundcube--lists@thomas.freit.ag wrote:
Hi James,
my guess is, that the header configured in your .htaccess file is not overriding the one set in http.conf. You can easily check this with Firefox or Chrome dev tools in the network tab. Unfortunately Apache httpd documentation (@ https://httpd.apache.org/docs/current/mod/mod_headers.html) does not.
On 09.10.19 09:38, James Brown wrote:
Still can’t get this to work.
I’m using the .htaccess file in my roundcube/ root.
Ie to override the CSP headers in http.conf (for all that Apache serves).
No matter what I put I still get no messages in the mailboxes.
Javascript Console shows:
Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. roundcube:57
In apache_root/roundcube/.htaccess I have:
Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';referrer no-referrer"
I would suggest to use "Header always set ..." or "Header unset Content-Security-Policy" before setting it with a new value.
httpd.conf has:
Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; report-uri https://bordo.report-uri.com/r/d/csp/wizard"
My CSP header value is "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'unsafe-inline' 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; report-uri....". Works for latest 1.3.x and 1.4.x-RC, with httpd 2.4.38 "header set" in my .htaccess is sufficient to set it.
hth, Thomas _______________________________________________ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
On 10 Oct 2019, at 2:16 am, LuKreme kremels@kreme.com wrote:
On Oct 9, 2019, at 01:50, James Brown jlbrown@bordo.com.au wrote:
Any suggestions?
What happens if there is no htaccess file?
Hi LuKreme.
That’s what I had originally. The CSP Header in http.conf prevents Roundcube from working properly.
That’s why I was trying to use .htaccess in the roundcube directory to overwrite it.
James.
I think you could be right Thomas, as whatever I put into the .htaccess file doesn’t seem to make a difference.
Even tried putting:
<Directory “apache_root/roundcube"> Header unset Content-Security-Policy
</Directory>
In https.conf to no avail.
James.
On 10 Oct 2019, at 6:06 am, roundcube--lists@thomas.freit.ag wrote:
Hi James,
my guess is, that the header configured in your .htaccess file is not overriding the one set in http.conf. You can easily check this with Firefox or Chrome dev tools in the network tab. Unfortunately Apache httpd documentation (@ https://httpd.apache.org/docs/current/mod/mod_headers.html https://httpd.apache.org/docs/current/mod/mod_headers.html) does not.
On 09.10.19 09:38, James Brown wrote:
Still can’t get this to work.
I’m using the .htaccess file in my roundcube/ root.
Ie to override the CSP headers in http.conf (for all that Apache serves).
No matter what I put I still get no messages in the mailboxes.
Javascript Console shows:
Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. roundcube:57
In apache_root/roundcube/.htaccess I have:
Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';referrer no-referrer"
I would suggest to use "Header always set ..." or "Header unset Content-Security-Policy" before setting it with a new value.
httpd.conf has:
Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; report-uri https://bordo.report-uri.com/r/d/csp/wizard https://bordo.report-uri.com/r/d/csp/wizard"
My CSP header value is "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'unsafe-inline' 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; report-uri....". Works for latest 1.3.x and 1.4.x-RC, with httpd 2.4.38 "header set" in my .htaccess is sufficient to set it.
hth, Thomas _______________________________________________ Roundcube Users mailing list users@lists.roundcube.net mailto:users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users http://lists.roundcube.net/mailman/listinfo/users
On Oct 9, 2019, at 11:46 PM, James Brown jlbrown@bordo.com.au wrote:
I think you could be right Thomas, as whatever I put into the .htaccess file doesn’t seem to make a difference.
Sounds like your .htaccess file is not being processed then.
What is the AllowOverride directive in your http.conf for the roundcube directory or parent directory.
For example, my roundcube install is in /usr/local/www/roundcube and in http.conf I have
<Directory "/usr/local/www”> . . . stuff AllowOverride All . . . stuff
</Directory>
Good suggestion.
Unfortunately it still doesn’t work.
In http.conf I put:
<Directory “path/to/sites/roundcube” AllowOverride All
</Directory>
But I would always get “.../roundcube/.htaccess: Header not allowed here”
So commented everything out of roundcube/.htaccess and in http.conf I put:
<Directory "path/to/sites/roundcube"> AllowOverride All #Header unset Content-Security-Policy Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'unsafe-inline' 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content"
</Directory>
But still get:
[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. (roundcube, line 17) [Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. (roundcube, line 57)
Maddening!
James.
On 11 Oct 2019, at 12:02 am, @lbutlr kremels@kreme.com wrote:
On Oct 9, 2019, at 11:46 PM, James Brown jlbrown@bordo.com.au wrote:
I think you could be right Thomas, as whatever I put into the .htaccess file doesn’t seem to make a difference.
Sounds like your .htaccess file is not being processed then.
What is the AllowOverride directive in your http.conf for the roundcube directory or parent directory.
For example, my roundcube install is in /usr/local/www/roundcube and in http.conf I have
<Directory "/usr/local/www”> . . . stuff AllowOverride All . . . stuff
</Directory>
-- The thing standing in the way of your dreams is that the person having them is *you* https://xkcd.com/1027/
Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
-
@lbutlr -
David Mehler -
James Brown -
LuKreme
-
roundcube--lists@thomas.freit.ag