Re: [RCU] Content Security Policy for Roundcube

Wed, 09 Oct 2019 22:47:51 -0700 

I think you could be right Thomas, as whatever I put into the .htaccess file 
doesn’t seem to make a difference.

Even tried putting:

<Directory “apache_root/roundcube">
        Header unset Content-Security-Policy
</Directory>

In https.conf to no avail.

James.

> On 10 Oct 2019, at 6:06 am, roundcube--li...@thomas.freit.ag wrote:
> 
> Hi James,
> 
> my guess is, that the header configured in your .htaccess file is not 
> overriding the one set in
> http.conf. You can easily check this with Firefox or Chrome dev tools in the 
> network tab.
> Unfortunately Apache httpd documentation (@
> https://httpd.apache.org/docs/current/mod/mod_headers.html 
> <https://httpd.apache.org/docs/current/mod/mod_headers.html>) does not.
> 
> On 09.10.19 09:38, James Brown wrote:
>> Still can’t get this to work.
>> 
>> I’m using the .htaccess file in my roundcube/ root.
>> 
>> Ie to override the CSP headers in http.conf (for all that Apache serves).
>> 
>> No matter what I put I still get no messages in the mailboxes.
>> 
>> Javascript Console shows:
>> 
>> Refused to execute a script because its hash, its nonce, or 'unsafe-inline' 
>> appears in neither the script-src directive nor the default-src directive of 
>> the Content Security Policy.
>> roundcube:57
>> 
>> In apache_root/roundcube/.htaccess I have:
>> 
>> Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src 
>> 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; 
>> img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 
>> 'self'; base-uri 'self'; form-action 'self';referrer no-referrer"
>> 
> 
> I would suggest to use "Header always set ..." or "Header unset 
> Content-Security-Policy" before
> setting it with a new value.
> 
>> httpd.conf has:
>> 
>> Header set Content-Security-Policy "default-src 'self'; form-action 'self'; 
>> frame-ancestors 'self'; base-uri 'self'; report-uri 
>> https://bordo.report-uri.com/r/d/csp/wizard 
>> <https://bordo.report-uri.com/r/d/csp/wizard>"
> 
> My CSP header value is "default-src 'self'; script-src 'self' 'unsafe-inline' 
> 'unsafe-eval';
> style-src 'unsafe-inline' 'self'; form-action 'self'; 
> upgrade-insecure-requests;
> block-all-mixed-content; report-uri....". Works for latest 1.3.x and 
> 1.4.x-RC, with httpd 2.4.38
> "header set" in my .htaccess is sufficient to set it.
> 
> hth,
> Thomas
> _______________________________________________
> Roundcube Users mailing list
> users@lists.roundcube.net <mailto:users@lists.roundcube.net>
> http://lists.roundcube.net/mailman/listinfo/users 
> <http://lists.roundcube.net/mailman/listinfo/users>

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users

Reply via email to