Roundcube Community Forum
News and Announcements => General Discussion => Topic started by: Ronald75 on December 27, 2023, 05:51:12 AM
-
Hi all,
When I check my roundcube website I see a waring about not using CSP When I try to enable CSP roundcube is not functional any more.
Googled the heck out of internet but could not find a solution.
Has anyone ROundcube working with CSP in place?
Would love to see some CSP settings
Regards
-
I searched for "csp apache" and one of the first results was at https://stackoverflow.com/questions/62105213/setting-content-security-policy-in-apache-web-server (https://stackoverflow.com/questions/62105213/setting-content-security-policy-in-apache-web-server). In the most prominent 'answer' was "A lack of a CSP policy should not be considered a vulnerability". Another result was a link to the quick reference for CSP: https://content-security-policy.com/ (https://content-security-policy.com/), which might help you.
-
I searched for "csp apache" and one of the first results was at https://stackoverflow.com/questions/62105213/setting-content-security-policy-in-apache-web-server (https://stackoverflow.com/questions/62105213/setting-content-security-policy-in-apache-web-server). In the most prominent 'answer' was "A lack of a CSP policy should not be considered a vulnerability". Another result was a link to the quick reference for CSP: https://content-security-policy.com/ (https://content-security-policy.com/), which might help you.
Yes these site are somewhat helpfull but do not help me with a working config.
I have tried many solutions but with any in place makes RoundCube stop working.
Stating without CSP should not be considered a vulnerabillity is just nonsense. It like leaving the door open and saying this is not a security risk as no one opens the door..
-
and to add my own research.
I have tried creating a policy using a Chrome plugin. "Content Security Policy (CSP) Generator" I can generate a CSP but that one is also not working mainly because of inline resources.
According to this extension inline resources should be moved to own file (and I am not going to rewrite RoundCube)
As for the need to have CSP, this is a requirement from our customer.
-
I searched for "csp apache" and one of the first results was at https://stackoverflow.com/questions/62105213/setting-content-security-policy-in-apache-web-server (https://stackoverflow.com/questions/62105213/setting-content-security-policy-in-apache-web-server). In the most prominent 'answer' was "A lack of a CSP policy should not be considered a vulnerability". Another result was a link to the quick reference for CSP: https://content-security-policy.com/ (https://content-security-policy.com/), which might help you.
Yes these site are somewhat helpfull but do not help me with a working config.
I have tried many solutions but with any in place makes RoundCube stop working.
Stating without CSP should not be considered a vulnerabillity is just nonsense. It like leaving the door open and saying this is not a security risk as no one opens the door..
Did you read the rest of the answer in that link? I did not say there was no security risk and your analogy is inappropriate.
Did you read the way to configure CSP iteratively by using the Content-Security-Policy-Report-Only Header Field?
What configurations have you tried?
What were the real results of testing those configurations?
This is not a Roundcube issue per se, but you also haven't added whether or not you have access to Apache configuration files.
-
When I enable CSP I can login into the webpage but mail is not listed..
When viewing the inspect (chrome) I can see CSP is blocking because of insecure.
Refused to apply inline style because it violates the following Content Security Policy directive:
"style-src https://fonts.googleapis.com https://*.webpage.nl".
Either the 'unsafe-inline' keyword, a hash ('sha256-YFOIjkCvZnAH6R5z1ZjUI/Zgf7uslK5vN80+lsdvYss='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
This is my CSP (added in .htaccess)
Header add Content-Security-Policy "default-src 'self' https://*.webpage.nl; base-uri 'self' https://*.webpage.nl; frame-src 'self' https://*.webpage.nl; frame-ancestors 'self' https://*.webpage.nl; form-action 'self' https://*.webpage.nl; script-src 'report-sample' 'self' ; style-src https://fonts.googleapis.com https://*.webpage.nl; font-src 'self' data: https://fonts.gstatic.com https://*.webpage.nl;"
-
When I add the report only header
Webpage is working but CSP test are failing (and I need these test to pass)
-
If mail (messages/folders?) is not showing, perhaps that is because the IMAP server (the source of the data) is recognised by CSP as a different location, although that doesn't appear in the report you include.
Sorry, but I have nothing further to add.
-
If mail (messages/folders?) is not showing, perhaps that is because the IMAP server (the source of the data) is recognised by CSP as a different location, although that doesn't appear in the report you include.
Sorry, but I have nothing further to add.
anyhow thanks for the response
-
When I enable CSP I can login into the webpage but mail is not listed..
When viewing the inspect (chrome) I can see CSP is blocking because of insecure.
Refused to apply inline style because it violates the following Content Security Policy directive:
"style-src https://fonts.googleapis.com https://*.webpage.nl".
Either the 'unsafe-inline' keyword, a hash ('sha256-YFOIjkCvZnAH6R5z1ZjUI/Zgf7uslK5vN80+lsdvYss='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
This is my CSP (added in .htaccess)
Header add Content-Security-Policy "default-src 'self' https://*.webpage.nl; base-uri 'self' https://*.webpage.nl; frame-src 'self' https://*.webpage.nl; frame-ancestors 'self' https://*.webpage.nl; form-action 'self' https://*.webpage.nl; script-src 'report-sample' 'self' ; style-src https://fonts.googleapis.com https://*.webpage.nl; font-src 'self' data: https://fonts.gstatic.com https://*.webpage.nl;"
The error message is rather clear on the fix, you'll need to add the "unsafe-inline" to the security policy since all emails set style inline to the message body.
-
The error message is rather clear on the fix, you'll need to add the "unsafe-inline" to the security policy since all emails set style inline to the message body.
One might think that. But putting the "unsafe-inline" in the CSP will fail the CSP check!
(of course the webinterface will work as expected )
-
What CSP check are you referring to?