Still can’t get this to work. I’m using the .htaccess file in my roundcube/ root.
Ie to override the CSP headers in http.conf (for all that Apache serves). No matter what I put I still get no messages in the mailboxes. Javascript Console shows: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. roundcube:57 In apache_root/roundcube/.htaccess I have: Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';referrer no-referrer" httpd.conf has: Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; report-uri https://bordo.report-uri.com/r/d/csp/wizard" Any suggestions? Thanks, James. > On 27 Jul 2019, at 7:32 am, David Mehler <dave.meh...@gmail.com> wrote: > > Hello, > > I am also interested in an answer to this question. For my setup I have: > > # Content-Security-Policy > Header set Content-Security-Policy "default-src 'self';" > > I have no idea if this is right or complete. > > I'm also interested in the best settings for these headers: > > # Prevent ClickJacking > # Deny outright > #Header always set X-Frame-Options DENY > # Roundcube needs this for displaying messages in tabs > Header always set X-Frame-Options SAMEORIGIN > > # Prevent Cross Site Scripting (XSS) > Header set X-XSS-Protection "1; mode=block" > > # Prevent Mime Types Security risks > Header always set X-Content-Type-Options nosniff > > # Cross-domain-policy > Header set X-Permitted-Cross-Domain-Policies "none" > > # Referer policy > Header set Referrer-Policy "strict-origin" > > Thanks. > Dave. > > > On 7/25/19, James Brown <jlbr...@bordo.com.au> wrote: >> Turning on 'Show Javascript Console' from Safari Develop menu showed me that >> my Content Security Policy was preventing emails displaying in mailboxes. >> >> Additionally at logout I get the message >> >> "PHP Error: Request security check failed >> REQUEST CHECK FAILED >> For your protection, access to this resource is secured against CSRF. >> If you see this, you probably didn't log out before leaving the web >> application. >> >> Human interaction is now required to continue." >> Please contact your server-administrator. >> >> Commenting out the CSP line in https.conf fixed it. >> >> Currently using: >> >> Header set Content-Security-Policy "default-src 'self'; form-action 'self'; >> frame-ancestors 'self'; base-uri ‘self' >> >> Which fails. >> >> Is there a recommended CSP for Roundcube? >> >> thanks, >> >> James. >> _______________________________________________ >> Roundcube Users mailing list >> users@lists.roundcube.net >> http://lists.roundcube.net/mailman/listinfo/users > _______________________________________________ > Roundcube Users mailing list > users@lists.roundcube.net > http://lists.roundcube.net/mailman/listinfo/users
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users