Author Topic: CSP for Roundcube 1.6.5 running on Apache2 (Read 1103 times)

Ronald75 · « **on:** December 27, 2023, 05:51:12 AM »

Hi all,

When I check my roundcube website I see a waring about not using CSP When I try to enable CSP roundcube is not functional any more.

Googled the heck out of internet but could not find a solution.

Has anyone ROundcube working with CSP in place?
Would love to see some CSP settings

Regards

PlymouthExpat · « **Reply #1 on:** December 27, 2023, 06:21:46 AM »

I searched for "csp apache" and one of the first results was at https://stackoverflow.com/questions/62105213/setting-content-security-policy-in-apache-web-server. In the most prominent 'answer' was "A lack of a CSP policy should not be considered a vulnerability". Another result was a link to the quick reference for CSP: https://content-security-policy.com/, which might help you.

Ronald75 · « **Reply #2 on:** December 27, 2023, 06:48:11 AM »

Quote from: PlymouthExpat on December 27, 2023, 06:21:46 AM

I searched for "csp apache" and one of the first results was at https://stackoverflow.com/questions/62105213/setting-content-security-policy-in-apache-web-server. In the most prominent 'answer' was "A lack of a CSP policy should not be considered a vulnerability". Another result was a link to the quick reference for CSP: https://content-security-policy.com/, which might help you.

Yes these site are somewhat helpfull but do not help me with a working config.
I have tried many solutions but with any in place makes RoundCube stop working.

Stating without CSP should not be considered a vulnerabillity is just nonsense. It like leaving the door open and saying this is not a security risk as no one opens the door..

Ronald75 · « **Reply #3 on:** December 27, 2023, 06:51:05 AM »

and to add my own research.
I have tried creating a policy using a Chrome plugin. "Content Security Policy (CSP) Generator" I can generate a CSP but that one is also not working mainly because of inline resources.
According to this extension inline resources should be moved to own file (and I am not going to rewrite RoundCube)

As for the need to have CSP, this is a requirement from our customer.

PlymouthExpat · « **Reply #4 on:** December 27, 2023, 08:08:38 AM »

Quote from: Ronald75 on December 27, 2023, 06:48:11 AM

Quote from: PlymouthExpat on December 27, 2023, 06:21:46 AM
I searched for "csp apache" and one of the first results was at https://stackoverflow.com/questions/62105213/setting-content-security-policy-in-apache-web-server. In the most prominent 'answer' was "A lack of a CSP policy should not be considered a vulnerability". Another result was a link to the quick reference for CSP: https://content-security-policy.com/, which might help you.

Yes these site are somewhat helpfull but do not help me with a working config.
I have tried many solutions but with any in place makes RoundCube stop working.

Stating without CSP should not be considered a vulnerabillity is just nonsense. It like leaving the door open and saying this is not a security risk as no one opens the door..

Did you read the rest of the answer in that link? I did not say there was no security risk and your analogy is inappropriate.
Did you read the way to configure CSP iteratively by using the Content-Security-Policy-Report-Only Header Field?

What configurations have you tried?
What were the real results of testing those configurations?

This is not a Roundcube issue per se, but you also haven't added whether or not you have access to Apache configuration files.

Ronald75 · « **Reply #5 on:** December 27, 2023, 08:18:39 AM »

When I enable CSP I can login into the webpage but mail is not listed..
When viewing the inspect (chrome) I can see CSP is blocking because of insecure.

Refused to apply inline style because it violates the following Content Security Policy directive:
"style-src https://fonts.googleapis.com https://*.webpage.nl".
Either the 'unsafe-inline' keyword, a hash ('sha256-YFOIjkCvZnAH6R5z1ZjUI/Zgf7uslK5vN80+lsdvYss='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

This is my CSP (added in .htaccess)
Header add Content-Security-Policy "default-src 'self' https://*.webpage.nl; base-uri 'self' https://*.webpage.nl; frame-src 'self' https://*.webpage.nl; frame-ancestors 'self' https://*.webpage.nl; form-action 'self' https://*.webpage.nl; script-src 'report-sample' 'self' ; style-src https://fonts.googleapis.com https://*.webpage.nl; font-src 'self' data: https://fonts.gstatic.com https://*.webpage.nl;"

Ronald75 · « **Reply #6 on:** December 27, 2023, 08:31:13 AM »

When I add the report only header

Webpage is working but CSP test are failing (and I need these test to pass)

PlymouthExpat · « **Reply #7 on:** December 27, 2023, 08:35:08 AM »

If mail (messages/folders?) is not showing, perhaps that is because the IMAP server (the source of the data) is recognised by CSP as a different location, although that doesn't appear in the report you include.

Sorry, but I have nothing further to add.

Ronald75 · « **Reply #8 on:** December 27, 2023, 08:44:37 AM »

Quote from: PlymouthExpat on December 27, 2023, 08:35:08 AM

If mail (messages/folders?) is not showing, perhaps that is because the IMAP server (the source of the data) is recognised by CSP as a different location, although that doesn't appear in the report you include.

Sorry, but I have nothing further to add.

anyhow thanks for the response

SKaero · « **Reply #9 on:** December 27, 2023, 12:42:17 PM »

Quote from: Ronald75 on December 27, 2023, 08:18:39 AM

When I enable CSP I can login into the webpage but mail is not listed..
When viewing the inspect (chrome) I can see CSP is blocking because of insecure.

Refused to apply inline style because it violates the following Content Security Policy directive:
"style-src https://fonts.googleapis.com https://*.webpage.nl".
Either the 'unsafe-inline' keyword, a hash ('sha256-YFOIjkCvZnAH6R5z1ZjUI/Zgf7uslK5vN80+lsdvYss='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

This is my CSP (added in .htaccess)
Header add Content-Security-Policy "default-src 'self' https://*.webpage.nl; base-uri 'self' https://*.webpage.nl; frame-src 'self' https://*.webpage.nl; frame-ancestors 'self' https://*.webpage.nl; form-action 'self' https://*.webpage.nl; script-src 'report-sample' 'self' ; style-src https://fonts.googleapis.com https://*.webpage.nl; font-src 'self' data: https://fonts.gstatic.com https://*.webpage.nl;"

The error message is rather clear on the fix, you'll need to add the "unsafe-inline" to the security policy since all emails set style inline to the message body.

Ronald75 · « **Reply #10 on:** December 28, 2023, 02:27:21 AM »

Quote from: SKaero on December 27, 2023, 12:42:17 PM

The error message is rather clear on the fix, you'll need to add the "unsafe-inline" to the security policy since all emails set style inline to the message body.

One might think that. But putting the "unsafe-inline" in the CSP will fail the CSP check!
(of course the webinterface will work as expected )

SKaero · « **Reply #11 on:** December 28, 2023, 11:24:33 AM »

What CSP check are you referring to?

Author Topic: CSP for Roundcube 1.6.5 running on Apache2 (Read 1103 times)

Ronald75

CSP for Roundcube 1.6.5 running on Apache2

PlymouthExpat

Re: CSP for Roundcube 1.6.5 running on Apache2

Ronald75

Re: CSP for Roundcube 1.6.5 running on Apache2

Ronald75

Re: CSP for Roundcube 1.6.5 running on Apache2

PlymouthExpat

Re: CSP for Roundcube 1.6.5 running on Apache2

Ronald75

Re: CSP for Roundcube 1.6.5 running on Apache2

Ronald75

Re: CSP for Roundcube 1.6.5 running on Apache2

PlymouthExpat

Re: CSP for Roundcube 1.6.5 running on Apache2

Ronald75

Re: CSP for Roundcube 1.6.5 running on Apache2

SKaero

Re: CSP for Roundcube 1.6.5 running on Apache2

Ronald75

Re: CSP for Roundcube 1.6.5 running on Apache2

SKaero

Re: CSP for Roundcube 1.6.5 running on Apache2