Roundcube Community Forum

Release Support => Requests => Topic started by: Loguithat1955 on January 10, 2018, 06:13:34 AM

Title: XSS Security Question
Post by: Loguithat1955 on January 10, 2018, 06:13:34 AM

After creating 2 plugins I tried to make them a little bit safer. One of the things I noticed was that the plugins do not work with very restrictive CSP configurations. In particular, these are unsafe-inline and unsafe-eval. I would not consider this critical, but at least it would be a "nice-to-have". But even if I customize my own plugins, Roundcube itself doesn't work anymore when I apply the mentioned CSP rules, because many functions from Roundcube itself also need the above mentioned rules.

So I wanted to ask if it is planned to change JavaScript and Co. in Roundcube so that the above rules are no longer needed? Is there already a kind of roadmap or an approximate time schedule?

Title: Re: XSS Security Question
Post by: alec on January 10, 2018, 09:34:11 AM

There's no such plan yet.