Hello, Here's some options I've set in my apache configuration and for my setup roundcube does show messages.
Hth Dave. Header always set X-Frame-Options SAMEORIGIN # Prevent Cross Site Scripting (XSS) Header set X-XSS-Protection "1; mode=block" # Prevent Mime Types Security risks Header always set X-Content-Type-Options nosniff # Content-Security-Policy Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; frame-ancestors 'self'" # Cross-domain-policy Header set X-Permitted-Cross-Domain-Policies "none" # Referer policy Header always set Referrer-Policy "strict-origin" # expect-ct policy Header always set Expect-CT 'enforce, max-age=43200' On 10/9/19, roundcube--li...@thomas.freit.ag <roundcube--li...@thomas.freit.ag> wrote: > Hi James, > > my guess is, that the header configured in your .htaccess file is not > overriding the one set in > http.conf. You can easily check this with Firefox or Chrome dev tools in the > network tab. > Unfortunately Apache httpd documentation (@ > https://httpd.apache.org/docs/current/mod/mod_headers.html) does not. > > On 09.10.19 09:38, James Brown wrote: >> Still can’t get this to work. >> >> I’m using the .htaccess file in my roundcube/ root. >> >> Ie to override the CSP headers in http.conf (for all that Apache serves). >> >> No matter what I put I still get no messages in the mailboxes. >> >> Javascript Console shows: >> >> Refused to execute a script because its hash, its nonce, or >> 'unsafe-inline' appears in neither the script-src directive nor the >> default-src directive of the Content Security Policy. >> roundcube:57 >> >> In apache_root/roundcube/.htaccess I have: >> >> Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src >> 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; >> img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors >> 'self'; base-uri 'self'; form-action 'self';referrer no-referrer" >> > > I would suggest to use "Header always set ..." or "Header unset > Content-Security-Policy" before > setting it with a new value. > >> httpd.conf has: >> >> Header set Content-Security-Policy "default-src 'self'; form-action >> 'self'; frame-ancestors 'self'; base-uri 'self'; report-uri >> https://bordo.report-uri.com/r/d/csp/wizard"; > > My CSP header value is "default-src 'self'; script-src 'self' > 'unsafe-inline' 'unsafe-eval'; > style-src 'unsafe-inline' 'self'; form-action 'self'; > upgrade-insecure-requests; > block-all-mixed-content; report-uri....". Works for latest 1.3.x and > 1.4.x-RC, with httpd 2.4.38 > "header set" in my .htaccess is sufficient to set it. > > hth, > Thomas > _______________________________________________ > Roundcube Users mailing list > users@lists.roundcube.net > http://lists.roundcube.net/mailman/listinfo/users _______________________________________________ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
