Re: [RCU] Content Security Policy for Roundcube

2019-10-30 Thread James Brown 
Finally got this to work.

In http.conf I put:


AllowOverride All
Options +Indexes


Then created /path/to/roundcube/.htaccess and it has:

Header unset Content-Security-Policy
Header always set Content-Security-Policy "default-src 'unsafe-inline' 
'unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 
'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; 
frame-ancestors 'self'; base-uri 'self'; form-action 'self'"

Not sure if the first line with the ‘unset’ is needed.

After restarting Apache it works.

Hope that helps someone else.

James.


> On 11 Oct 2019, at 4:55 pm, James Brown  wrote:
> 
> Good suggestion.
> 
> Unfortunately it still doesn’t work.
> 
> In http.conf I put:
> 
>AllowOverride All
> 
> 
> But I would always get “.../roundcube/.htaccess: Header not allowed here” 
> 
> So commented everything out of roundcube/.htaccess and in http.conf I put:
> 
> 
>   AllowOverride All
>   #Header unset Content-Security-Policy
>   Header always set Content-Security-Policy "default-src 'self' 
> 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 
> 'unsafe-inline' 'self'; form-action 'self'; upgrade-insecure-requests; 
> block-all-mixed-content"
> 
> 
> But still get:
> 
> [Error] Refused to execute a script because its hash, its nonce, or 
> 'unsafe-inline' appears in neither the script-src directive nor the 
> default-src directive of the Content Security Policy. (roundcube, line 17)
> [Error] Refused to execute a script because its hash, its nonce, or 
> 'unsafe-inline' appears in neither the script-src directive nor the 
> default-src directive of the Content Security Policy. (roundcube, line 57)
> 
> Maddening!
> 
> James.
> 
>> On 11 Oct 2019, at 12:02 am, @lbutlr  wrote:
>> 
>> On Oct 9, 2019, at 11:46 PM, James Brown  wrote:
>>> I think you could be right Thomas, as whatever I put into the .htaccess 
>>> file doesn’t seem to make a difference.
>> 
>> Sounds like your .htaccess file is not being processed then.
>> 
>> What is the AllowOverride directive in your http.conf for the roundcube 
>> directory or parent directory.
>> 
>> For example, my roundcube install is in /usr/local/www/roundcube and in 
>> http.conf I have 
>> 
>> 
>> . . . stuff
>> AllowOverride All
>> . . . stuff
>> 
>> 
>> 
>> 
>> -- 
>> The thing standing in the way of your dreams is that the person having them 
>> is
>> *you* https://xkcd.com/1027/
>> 
>> ___
>> Roundcube Users mailing list
>> users@lists.roundcube.net
>> http://lists.roundcube.net/mailman/listinfo/users
> 
> 
> ___
> Roundcube Users mailing list
> users@lists.roundcube.net
> http://lists.roundcube.net/mailman/listinfo/users




smime.p7s
Description: S/MIME cryptographic signature
___
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users

Re: [RCU] Content Security Policy for Roundcube

2019-10-11 Thread James Brown 
Good suggestion.

Unfortunately it still doesn’t work.

In http.conf I put:



But I would always get “.../roundcube/.htaccess: Header not allowed here” 

So commented everything out of roundcube/.htaccess and in http.conf I put:


AllowOverride All
#Header unset Content-Security-Policy
Header always set Content-Security-Policy "default-src 'self' 
'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 
'unsafe-inline' 'self'; form-action 'self'; upgrade-insecure-requests; 
block-all-mixed-content"


But still get:

[Error] Refused to execute a script because its hash, its nonce, or 
'unsafe-inline' appears in neither the script-src directive nor the default-src 
directive of the Content Security Policy. (roundcube, line 17)
[Error] Refused to execute a script because its hash, its nonce, or 
'unsafe-inline' appears in neither the script-src directive nor the default-src 
directive of the Content Security Policy. (roundcube, line 57)

Maddening!

James.

> On 11 Oct 2019, at 12:02 am, @lbutlr  wrote:
> 
> On Oct 9, 2019, at 11:46 PM, James Brown  wrote:
>> I think you could be right Thomas, as whatever I put into the .htaccess file 
>> doesn’t seem to make a difference.
> 
> Sounds like your .htaccess file is not being processed then.
> 
> What is the AllowOverride directive in your http.conf for the roundcube 
> directory or parent directory.
> 
> For example, my roundcube install is in /usr/local/www/roundcube and in 
> http.conf I have 
> 
> 
>  . . . stuff
>  AllowOverride All
>  . . . stuff
> 
> 
> 
> 
> -- 
> The thing standing in the way of your dreams is that the person having them is
> *you* https://xkcd.com/1027/
> 
> ___
> Roundcube Users mailing list
> users@lists.roundcube.net
> http://lists.roundcube.net/mailman/listinfo/users




smime.p7s
Description: S/MIME cryptographic signature
___
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users

Re: [RCU] Content Security Policy for Roundcube

2019-10-10 Thread @lbutlr 
On Oct 9, 2019, at 11:46 PM, James Brown  wrote:
> I think you could be right Thomas, as whatever I put into the .htaccess file 
> doesn’t seem to make a difference.

Sounds like your .htaccess file is not being processed then.

What is the AllowOverride directive in your http.conf for the roundcube 
directory or parent directory.

For example, my roundcube install is in /usr/local/www/roundcube and in 
http.conf I have 


  . . . stuff
  AllowOverride All
  . . . stuff




-- 
The thing standing in the way of your dreams is that the person having them is
*you* https://xkcd.com/1027/

___
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users

Re: [RCU] Content Security Policy for Roundcube

2019-10-09 Thread James Brown 
I think you could be right Thomas, as whatever I put into the .htaccess file 
doesn’t seem to make a difference.

Even tried putting:


Header unset Content-Security-Policy


In https.conf to no avail.

James.

> On 10 Oct 2019, at 6:06 am, roundcube--li...@thomas.freit.ag wrote:
> 
> Hi James,
> 
> my guess is, that the header configured in your .htaccess file is not 
> overriding the one set in
> http.conf. You can easily check this with Firefox or Chrome dev tools in the 
> network tab.
> Unfortunately Apache httpd documentation (@
> https://httpd.apache.org/docs/current/mod/mod_headers.html 
> ) does not.
> 
> On 09.10.19 09:38, James Brown wrote:
>> Still can’t get this to work.
>> 
>> I’m using the .htaccess file in my roundcube/ root.
>> 
>> Ie to override the CSP headers in http.conf (for all that Apache serves).
>> 
>> No matter what I put I still get no messages in the mailboxes.
>> 
>> Javascript Console shows:
>> 
>> Refused to execute a script because its hash, its nonce, or 'unsafe-inline' 
>> appears in neither the script-src directive nor the default-src directive of 
>> the Content Security Policy.
>> roundcube:57
>> 
>> In apache_root/roundcube/.htaccess I have:
>> 
>> Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src 
>> 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; 
>> img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 
>> 'self'; base-uri 'self'; form-action 'self';referrer no-referrer"
>> 
> 
> I would suggest to use "Header always set ..." or "Header unset 
> Content-Security-Policy" before
> setting it with a new value.
> 
>> httpd.conf has:
>> 
>> Header set Content-Security-Policy "default-src 'self'; form-action 'self'; 
>> frame-ancestors 'self'; base-uri 'self'; report-uri 
>> https://bordo.report-uri.com/r/d/csp/wizard 
>> "
> 
> My CSP header value is "default-src 'self'; script-src 'self' 'unsafe-inline' 
> 'unsafe-eval';
> style-src 'unsafe-inline' 'self'; form-action 'self'; 
> upgrade-insecure-requests;
> block-all-mixed-content; report-uri". Works for latest 1.3.x and 
> 1.4.x-RC, with httpd 2.4.38
> "header set" in my .htaccess is sufficient to set it.
> 
> hth,
> Thomas
> ___
> Roundcube Users mailing list
> users@lists.roundcube.net 
> http://lists.roundcube.net/mailman/listinfo/users 
> 


smime.p7s
Description: S/MIME cryptographic signature
___
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users

Re: [RCU] Content Security Policy for Roundcube

2019-10-09 Thread James Brown 


> On 10 Oct 2019, at 2:16 am, LuKreme  wrote:
> 
> On Oct 9, 2019, at 01:50, James Brown  wrote:
>> 
>> Any suggestions?
> 
> What happens if there is no htaccess file?
> 

Hi LuKreme.

That’s what I had originally. The CSP Header in http.conf prevents Roundcube 
from working properly.

That’s why I was trying to use .htaccess in the roundcube directory to 
overwrite it.

James.




smime.p7s
Description: S/MIME cryptographic signature
___
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users

Re: [RCU] Content Security Policy for Roundcube

2019-10-09 Thread David Mehler 
Hello,

Here's some options I've set in my apache configuration and for my
setup roundcube does show messages.

Hth
Dave.

Header always set X-Frame-Options SAMEORIGIN

# Prevent Cross Site Scripting (XSS)
Header set X-XSS-Protection "1; mode=block"

# Prevent Mime Types Security risks
Header always set X-Content-Type-Options nosniff

# Content-Security-Policy
Header always set Content-Security-Policy "default-src 'self';
script-src 'self'; connect-src 'self'; img-src 'self'; style-src
'self'; frame-ancestors 'self'"

# Cross-domain-policy
Header set X-Permitted-Cross-Domain-Policies "none"

# Referer policy
Header always set Referrer-Policy "strict-origin"

# expect-ct policy
Header always set Expect-CT 'enforce, max-age=43200'


On 10/9/19, roundcube--li...@thomas.freit.ag
 wrote:
> Hi James,
>
> my guess is, that the header configured in your .htaccess file is not
> overriding the one set in
> http.conf. You can easily check this with Firefox or Chrome dev tools in the
> network tab.
> Unfortunately Apache httpd documentation (@
> https://httpd.apache.org/docs/current/mod/mod_headers.html) does not.
>
> On 09.10.19 09:38, James Brown wrote:
>> Still can’t get this to work.
>>
>> I’m using the .htaccess file in my roundcube/ root.
>>
>> Ie to override the CSP headers in http.conf (for all that Apache serves).
>>
>> No matter what I put I still get no messages in the mailboxes.
>>
>> Javascript Console shows:
>>
>> Refused to execute a script because its hash, its nonce, or
>> 'unsafe-inline' appears in neither the script-src directive nor the
>> default-src directive of the Content Security Policy.
>> roundcube:57
>>
>> In apache_root/roundcube/.htaccess I have:
>>
>> Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src
>> 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline';
>> img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors
>> 'self'; base-uri 'self'; form-action 'self';referrer no-referrer"
>>
>
> I would suggest to use "Header always set ..." or "Header unset
> Content-Security-Policy" before
> setting it with a new value.
>
>> httpd.conf has:
>>
>> Header set Content-Security-Policy "default-src 'self'; form-action
>> 'self'; frame-ancestors 'self'; base-uri 'self'; report-uri
>> https://bordo.report-uri.com/r/d/csp/wizard;
>
> My CSP header value is "default-src 'self'; script-src 'self'
> 'unsafe-inline' 'unsafe-eval';
> style-src 'unsafe-inline' 'self'; form-action 'self';
> upgrade-insecure-requests;
> block-all-mixed-content; report-uri". Works for latest 1.3.x and
> 1.4.x-RC, with httpd 2.4.38
> "header set" in my .htaccess is sufficient to set it.
>
> hth,
> Thomas
> ___
> Roundcube Users mailing list
> users@lists.roundcube.net
> http://lists.roundcube.net/mailman/listinfo/users
___
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users

Re: [RCU] Content Security Policy for Roundcube

2019-10-09 Thread roundcube--lists 
Hi James,

my guess is, that the header configured in your .htaccess file is not 
overriding the one set in
http.conf. You can easily check this with Firefox or Chrome dev tools in the 
network tab.
Unfortunately Apache httpd documentation (@
https://httpd.apache.org/docs/current/mod/mod_headers.html) does not.

On 09.10.19 09:38, James Brown wrote:
> Still can’t get this to work.
> 
> I’m using the .htaccess file in my roundcube/ root.
> 
> Ie to override the CSP headers in http.conf (for all that Apache serves).
> 
> No matter what I put I still get no messages in the mailboxes.
> 
> Javascript Console shows:
> 
> Refused to execute a script because its hash, its nonce, or 'unsafe-inline' 
> appears in neither the script-src directive nor the default-src directive of 
> the Content Security Policy.
> roundcube:57
> 
> In apache_root/roundcube/.htaccess I have:
> 
> Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src 
> 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; 
> img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; 
> base-uri 'self'; form-action 'self';referrer no-referrer"
> 

I would suggest to use "Header always set ..." or "Header unset 
Content-Security-Policy" before
setting it with a new value.

> httpd.conf has:
> 
> Header set Content-Security-Policy "default-src 'self'; form-action 'self'; 
> frame-ancestors 'self'; base-uri 'self'; report-uri 
> https://bordo.report-uri.com/r/d/csp/wizard;

My CSP header value is "default-src 'self'; script-src 'self' 'unsafe-inline' 
'unsafe-eval';
style-src 'unsafe-inline' 'self'; form-action 'self'; upgrade-insecure-requests;
block-all-mixed-content; report-uri". Works for latest 1.3.x and 1.4.x-RC, 
with httpd 2.4.38
"header set" in my .htaccess is sufficient to set it.

hth,
Thomas
___
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users

Re: [RCU] Content Security Policy for Roundcube

2019-10-09 Thread LuKreme 
On Oct 9, 2019, at 01:50, James Brown  wrote:
> 
> Any suggestions?

What happens if there is no htaccess file?
___
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users

Re: [RCU] Content Security Policy for Roundcube

2019-10-09 Thread James Brown 
Still can’t get this to work.

I’m using the .htaccess file in my roundcube/ root.

Ie to override the CSP headers in http.conf (for all that Apache serves).

No matter what I put I still get no messages in the mailboxes.

Javascript Console shows:

Refused to execute a script because its hash, its nonce, or 'unsafe-inline' 
appears in neither the script-src directive nor the default-src directive of 
the Content Security Policy.
roundcube:57

In apache_root/roundcube/.htaccess I have:

Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src 
'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 
'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 
'self'; form-action 'self';referrer no-referrer"

httpd.conf has:

Header set Content-Security-Policy "default-src 'self'; form-action 'self'; 
frame-ancestors 'self'; base-uri 'self'; report-uri 
https://bordo.report-uri.com/r/d/csp/wizard;

Any suggestions?

Thanks,

James.


> On 27 Jul 2019, at 7:32 am, David Mehler  wrote:
> 
> Hello,
> 
> I am also interested in an answer to this question. For my setup I have:
> 
> # Content-Security-Policy
> Header set Content-Security-Policy "default-src 'self';"
> 
> I have no idea if this is right or complete.
> 
> I'm also interested in the best settings for these headers:
> 
> # Prevent ClickJacking
> # Deny outright
> #Header always set X-Frame-Options DENY
> # Roundcube needs this for displaying messages in tabs
> Header always set X-Frame-Options SAMEORIGIN
> 
> # Prevent Cross Site Scripting (XSS)
> Header set X-XSS-Protection "1; mode=block"
> 
> # Prevent Mime Types Security risks
> Header always set X-Content-Type-Options nosniff
> 
> # Cross-domain-policy
> Header set X-Permitted-Cross-Domain-Policies "none"
> 
> # Referer policy
> Header set Referrer-Policy "strict-origin"
> 
> Thanks.
> Dave.
> 
> 
> On 7/25/19, James Brown  wrote:
>> Turning on 'Show Javascript Console' from Safari Develop menu showed me that
>> my Content Security Policy was preventing emails displaying in mailboxes.
>> 
>> Additionally at logout I get the message
>> 
>> "PHP Error: Request security check failed
>> REQUEST CHECK FAILED
>> For your protection, access to this resource is secured against CSRF.
>> If you see this, you probably didn't log out before leaving the web
>> application.
>> 
>> Human interaction is now required to continue."
>> Please contact your server-administrator.
>> 
>> Commenting out the CSP line in https.conf fixed it.
>> 
>> Currently using:
>> 
>> Header set Content-Security-Policy "default-src 'self'; form-action 'self';
>> frame-ancestors 'self'; base-uri ‘self'
>> 
>> Which fails.
>> 
>> Is there a recommended CSP for Roundcube?
>> 
>> thanks,
>> 
>> James.
>> ___
>> Roundcube Users mailing list
>> users@lists.roundcube.net
>> http://lists.roundcube.net/mailman/listinfo/users
> ___
> Roundcube Users mailing list
> users@lists.roundcube.net
> http://lists.roundcube.net/mailman/listinfo/users




smime.p7s
Description: S/MIME cryptographic signature
___
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users

Re: [RCU] Content Security Policy for Roundcube

2019-07-26 Thread David Mehler 
Hello,

I am also interested in an answer to this question. For my setup I have:

# Content-Security-Policy
Header set Content-Security-Policy "default-src 'self';"

I have no idea if this is right or complete.

I'm also interested in the best settings for these headers:

# Prevent ClickJacking
# Deny outright
#Header always set X-Frame-Options DENY
# Roundcube needs this for displaying messages in tabs
Header always set X-Frame-Options SAMEORIGIN

# Prevent Cross Site Scripting (XSS)
Header set X-XSS-Protection "1; mode=block"

# Prevent Mime Types Security risks
Header always set X-Content-Type-Options nosniff

# Cross-domain-policy
Header set X-Permitted-Cross-Domain-Policies "none"

# Referer policy
Header set Referrer-Policy "strict-origin"

Thanks.
Dave.


On 7/25/19, James Brown  wrote:
> Turning on 'Show Javascript Console' from Safari Develop menu showed me that
> my Content Security Policy was preventing emails displaying in mailboxes.
>
> Additionally at logout I get the message
>
> "PHP Error: Request security check failed
> REQUEST CHECK FAILED
> For your protection, access to this resource is secured against CSRF.
> If you see this, you probably didn't log out before leaving the web
> application.
>
> Human interaction is now required to continue."
> Please contact your server-administrator.
>
> Commenting out the CSP line in https.conf fixed it.
>
> Currently using:
>
> Header set Content-Security-Policy "default-src 'self'; form-action 'self';
> frame-ancestors 'self'; base-uri ‘self'
>
> Which fails.
>
> Is there a recommended CSP for Roundcube?
>
> thanks,
>
> James.
> ___
> Roundcube Users mailing list
> users@lists.roundcube.net
> http://lists.roundcube.net/mailman/listinfo/users
___
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users