Hi so after some testing, it looks like the lighttpd setting:
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=63072000; includeSubDomains",
"X-Frame-Options" => "DENY"
)
in particular:
"X-Frame-Options" => "DENY"
was causing the issue.
There is some bug tracking about it and roundcube (
http://trac.roundcube.net/ticket/1487037 )
and it is also documented in the 'defaults.inc.php' file:
// X-Frame-Options HTTP header value sent to prevent from Clickjacking.
// Possible values: sameorigin|deny. Set to false in order to disable
sending them
$config['x_frame_options'] = 'sameorigin';
anyway, could you please suggest the best setting of both roundcube and
lighttpd ?
(should lighttpd be set to 'sameorigin' or should roundcube be set to
'deny' ?)
Thanks for supporting!
RuggedInbox team
On 2014-08-21 13:42, [email protected] wrote:
Hi all!
We recently improved our https configuration on lighttpd:
https://www.ssllabs.com/ssltest/analyze.html?d=ruggedinbox.com
but something seems to have broken roundcube .. can't properly attach
files, can't send emails, sometimes can't logout.
We are pointing the finger at ssl because when using roundcube as a
Tor hidden service (thus bypassing ssl), everything works ok and
smooth.
Try yourself:
username: demo
password: demo11
under ssl: https://ruggedinbox.com/rc
as a Tor hidden service: http://s4bysmmsnraf7eut.onion/rc
What do you think ?
Thanks for supporting!
RuggedInbox team
_______________________________________________
Roundcube Users mailing list
[email protected]
http://lists.roundcube.net/mailman/listinfo/users
