I think you could be right Thomas, as whatever I put into the .htaccess file doesn’t seem to make a difference.
Even tried putting: <Directory “apache_root/roundcube"> Header unset Content-Security-Policy </Directory> In https.conf to no avail. James. > On 10 Oct 2019, at 6:06 am, roundcube--li...@thomas.freit.ag wrote: > > Hi James, > > my guess is, that the header configured in your .htaccess file is not > overriding the one set in > http.conf. You can easily check this with Firefox or Chrome dev tools in the > network tab. > Unfortunately Apache httpd documentation (@ > https://httpd.apache.org/docs/current/mod/mod_headers.html > <https://httpd.apache.org/docs/current/mod/mod_headers.html>) does not. > > On 09.10.19 09:38, James Brown wrote: >> Still can’t get this to work. >> >> I’m using the .htaccess file in my roundcube/ root. >> >> Ie to override the CSP headers in http.conf (for all that Apache serves). >> >> No matter what I put I still get no messages in the mailboxes. >> >> Javascript Console shows: >> >> Refused to execute a script because its hash, its nonce, or 'unsafe-inline' >> appears in neither the script-src directive nor the default-src directive of >> the Content Security Policy. >> roundcube:57 >> >> In apache_root/roundcube/.htaccess I have: >> >> Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src >> 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; >> img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors >> 'self'; base-uri 'self'; form-action 'self';referrer no-referrer" >> > > I would suggest to use "Header always set ..." or "Header unset > Content-Security-Policy" before > setting it with a new value. > >> httpd.conf has: >> >> Header set Content-Security-Policy "default-src 'self'; form-action 'self'; >> frame-ancestors 'self'; base-uri 'self'; report-uri >> https://bordo.report-uri.com/r/d/csp/wizard >> <https://bordo.report-uri.com/r/d/csp/wizard>" > > My CSP header value is "default-src 'self'; script-src 'self' 'unsafe-inline' > 'unsafe-eval'; > style-src 'unsafe-inline' 'self'; form-action 'self'; > upgrade-insecure-requests; > block-all-mixed-content; report-uri....". Works for latest 1.3.x and > 1.4.x-RC, with httpd 2.4.38 > "header set" in my .htaccess is sufficient to set it. > > hth, > Thomas > _______________________________________________ > Roundcube Users mailing list > users@lists.roundcube.net <mailto:users@lists.roundcube.net> > http://lists.roundcube.net/mailman/listinfo/users > <http://lists.roundcube.net/mailman/listinfo/users>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users