Finally got this to work. In http.conf I put:
<Directory “/parth/to/roundcube">
AllowOverride All
Options +Indexes
</Directory>
Then created /path/to/roundcube/.htaccess and it has:
Header unset Content-Security-Policy
Header always set Content-Security-Policy "default-src 'unsafe-inline'
'unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src
'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self';
frame-ancestors 'self'; base-uri 'self'; form-action 'self'"
Not sure if the first line with the ‘unset’ is needed.
After restarting Apache it works.
Hope that helps someone else.
James.
> On 11 Oct 2019, at 4:55 pm, James Brown <[email protected]> wrote:
>
> Good suggestion.
>
> Unfortunately it still doesn’t work.
>
> In http.conf I put:
>
> <Directory “path/to/sites/roundcube”
> AllowOverride All
> </Directory>
>
> But I would always get “.../roundcube/.htaccess: Header not allowed here”
>
> So commented everything out of roundcube/.htaccess and in http.conf I put:
>
> <Directory "path/to/sites/roundcube">
> AllowOverride All
> #Header unset Content-Security-Policy
> Header always set Content-Security-Policy "default-src 'self'
> 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src
> 'unsafe-inline' 'self'; form-action 'self'; upgrade-insecure-requests;
> block-all-mixed-content"
> </Directory>
>
> But still get:
>
> [Error] Refused to execute a script because its hash, its nonce, or
> 'unsafe-inline' appears in neither the script-src directive nor the
> default-src directive of the Content Security Policy. (roundcube, line 17)
> [Error] Refused to execute a script because its hash, its nonce, or
> 'unsafe-inline' appears in neither the script-src directive nor the
> default-src directive of the Content Security Policy. (roundcube, line 57)
>
> Maddening!
>
> James.
>
>> On 11 Oct 2019, at 12:02 am, @lbutlr <[email protected]> wrote:
>>
>> On Oct 9, 2019, at 11:46 PM, James Brown <[email protected]> wrote:
>>> I think you could be right Thomas, as whatever I put into the .htaccess
>>> file doesn’t seem to make a difference.
>>
>> Sounds like your .htaccess file is not being processed then.
>>
>> What is the AllowOverride directive in your http.conf for the roundcube
>> directory or parent directory.
>>
>> For example, my roundcube install is in /usr/local/www/roundcube and in
>> http.conf I have
>>
>> <Directory "/usr/local/www”>
>> . . . stuff
>> AllowOverride All
>> . . . stuff
>> </Directory>
>>
>>
>>
>> --
>> The thing standing in the way of your dreams is that the person having them
>> is
>> *you* https://xkcd.com/1027/
>>
>> _______________________________________________
>> Roundcube Users mailing list
>> [email protected]
>> http://lists.roundcube.net/mailman/listinfo/users
>
>
> _______________________________________________
> Roundcube Users mailing list
> [email protected]
> http://lists.roundcube.net/mailman/listinfo/users
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Roundcube Users mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/users
