Hello, I am also interested in an answer to this question. For my setup I have:
# Content-Security-Policy Header set Content-Security-Policy "default-src 'self';" I have no idea if this is right or complete. I'm also interested in the best settings for these headers: # Prevent ClickJacking # Deny outright #Header always set X-Frame-Options DENY # Roundcube needs this for displaying messages in tabs Header always set X-Frame-Options SAMEORIGIN # Prevent Cross Site Scripting (XSS) Header set X-XSS-Protection "1; mode=block" # Prevent Mime Types Security risks Header always set X-Content-Type-Options nosniff # Cross-domain-policy Header set X-Permitted-Cross-Domain-Policies "none" # Referer policy Header set Referrer-Policy "strict-origin" Thanks. Dave. On 7/25/19, James Brown <[email protected]> wrote: > Turning on 'Show Javascript Console' from Safari Develop menu showed me that > my Content Security Policy was preventing emails displaying in mailboxes. > > Additionally at logout I get the message > > "PHP Error: Request security check failed > REQUEST CHECK FAILED > For your protection, access to this resource is secured against CSRF. > If you see this, you probably didn't log out before leaving the web > application. > > Human interaction is now required to continue." > Please contact your server-administrator. > > Commenting out the CSP line in https.conf fixed it. > > Currently using: > > Header set Content-Security-Policy "default-src 'self'; form-action 'self'; > frame-ancestors 'self'; base-uri ‘self' > > Which fails. > > Is there a recommended CSP for Roundcube? > > thanks, > > James. > _______________________________________________ > Roundcube Users mailing list > [email protected] > http://lists.roundcube.net/mailman/listinfo/users _______________________________________________ Roundcube Users mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/users
