Finally got this to work. In http.conf I put:
<Directory “/parth/to/roundcube"> AllowOverride All Options +Indexes </Directory> Then created /path/to/roundcube/.htaccess and it has: Header unset Content-Security-Policy Header always set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'" Not sure if the first line with the ‘unset’ is needed. After restarting Apache it works. Hope that helps someone else. James. > On 11 Oct 2019, at 4:55 pm, James Brown <jlbr...@bordo.com.au> wrote: > > Good suggestion. > > Unfortunately it still doesn’t work. > > In http.conf I put: > > <Directory “path/to/sites/roundcube” > AllowOverride All > </Directory> > > But I would always get “.../roundcube/.htaccess: Header not allowed here” > > So commented everything out of roundcube/.htaccess and in http.conf I put: > > <Directory "path/to/sites/roundcube"> > AllowOverride All > #Header unset Content-Security-Policy > Header always set Content-Security-Policy "default-src 'self' > 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src > 'unsafe-inline' 'self'; form-action 'self'; upgrade-insecure-requests; > block-all-mixed-content" > </Directory> > > But still get: > > [Error] Refused to execute a script because its hash, its nonce, or > 'unsafe-inline' appears in neither the script-src directive nor the > default-src directive of the Content Security Policy. (roundcube, line 17) > [Error] Refused to execute a script because its hash, its nonce, or > 'unsafe-inline' appears in neither the script-src directive nor the > default-src directive of the Content Security Policy. (roundcube, line 57) > > Maddening! > > James. > >> On 11 Oct 2019, at 12:02 am, @lbutlr <krem...@kreme.com> wrote: >> >> On Oct 9, 2019, at 11:46 PM, James Brown <jlbr...@bordo.com.au> wrote: >>> I think you could be right Thomas, as whatever I put into the .htaccess >>> file doesn’t seem to make a difference. >> >> Sounds like your .htaccess file is not being processed then. >> >> What is the AllowOverride directive in your http.conf for the roundcube >> directory or parent directory. >> >> For example, my roundcube install is in /usr/local/www/roundcube and in >> http.conf I have >> >> <Directory "/usr/local/www”> >> . . . stuff >> AllowOverride All >> . . . stuff >> </Directory> >> >> >> >> -- >> The thing standing in the way of your dreams is that the person having them >> is >> *you* https://xkcd.com/1027/ >> >> _______________________________________________ >> Roundcube Users mailing list >> users@lists.roundcube.net >> http://lists.roundcube.net/mailman/listinfo/users > > > _______________________________________________ > Roundcube Users mailing list > users@lists.roundcube.net > http://lists.roundcube.net/mailman/listinfo/users
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users