Content Security Policy for Roundcube

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Content Security Policy for Roundcube

James Brown
Turning on 'Show Javascript Console' from Safari Develop menu showed me that my Content Security Policy was preventing emails displaying in mailboxes.

Additionally at logout I get the message

"PHP Error: Request security check failed
REQUEST CHECK FAILED
For your protection, access to this resource is secured against CSRF.
If you see this, you probably didn't log out before leaving the web application.

Human interaction is now required to continue."
Please contact your server-administrator.

Commenting out the CSP line in https.conf fixed it.

Currently using:

Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri ‘self'

Which fails.

Is there a recommended CSP for Roundcube?

thanks,

James.
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Content Security Policy for Roundcube

David Mehler
Hello,

I am also interested in an answer to this question. For my setup I have:

# Content-Security-Policy
Header set Content-Security-Policy "default-src 'self';"

I have no idea if this is right or complete.

I'm also interested in the best settings for these headers:

# Prevent ClickJacking
# Deny outright
#Header always set X-Frame-Options DENY
# Roundcube needs this for displaying messages in tabs
Header always set X-Frame-Options SAMEORIGIN

# Prevent Cross Site Scripting (XSS)
Header set X-XSS-Protection "1; mode=block"

# Prevent Mime Types Security risks
Header always set X-Content-Type-Options nosniff

# Cross-domain-policy
Header set X-Permitted-Cross-Domain-Policies "none"

# Referer policy
Header set Referrer-Policy "strict-origin"

Thanks.
Dave.


On 7/25/19, James Brown <[hidden email]> wrote:

> Turning on 'Show Javascript Console' from Safari Develop menu showed me that
> my Content Security Policy was preventing emails displaying in mailboxes.
>
> Additionally at logout I get the message
>
> "PHP Error: Request security check failed
> REQUEST CHECK FAILED
> For your protection, access to this resource is secured against CSRF.
> If you see this, you probably didn't log out before leaving the web
> application.
>
> Human interaction is now required to continue."
> Please contact your server-administrator.
>
> Commenting out the CSP line in https.conf fixed it.
>
> Currently using:
>
> Header set Content-Security-Policy "default-src 'self'; form-action 'self';
> frame-ancestors 'self'; base-uri ‘self'
>
> Which fails.
>
> Is there a recommended CSP for Roundcube?
>
> thanks,
>
> James.
> _______________________________________________
> Roundcube Users mailing list
> [hidden email]
> http://lists.roundcube.net/mailman/listinfo/users
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Content Security Policy for Roundcube

James Brown
Still can’t get this to work.

I’m using the .htaccess file in my roundcube/ root.

Ie to override the CSP headers in http.conf (for all that Apache serves).

No matter what I put I still get no messages in the mailboxes.

Javascript Console shows:

Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
roundcube:57

In apache_root/roundcube/.htaccess I have:

Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';referrer no-referrer"

httpd.conf has:

Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; report-uri https://bordo.report-uri.com/r/d/csp/wizard"

Any suggestions?

Thanks,

James.


> On 27 Jul 2019, at 7:32 am, David Mehler <[hidden email]> wrote:
>
> Hello,
>
> I am also interested in an answer to this question. For my setup I have:
>
> # Content-Security-Policy
> Header set Content-Security-Policy "default-src 'self';"
>
> I have no idea if this is right or complete.
>
> I'm also interested in the best settings for these headers:
>
> # Prevent ClickJacking
> # Deny outright
> #Header always set X-Frame-Options DENY
> # Roundcube needs this for displaying messages in tabs
> Header always set X-Frame-Options SAMEORIGIN
>
> # Prevent Cross Site Scripting (XSS)
> Header set X-XSS-Protection "1; mode=block"
>
> # Prevent Mime Types Security risks
> Header always set X-Content-Type-Options nosniff
>
> # Cross-domain-policy
> Header set X-Permitted-Cross-Domain-Policies "none"
>
> # Referer policy
> Header set Referrer-Policy "strict-origin"
>
> Thanks.
> Dave.
>
>
> On 7/25/19, James Brown <[hidden email]> wrote:
>> Turning on 'Show Javascript Console' from Safari Develop menu showed me that
>> my Content Security Policy was preventing emails displaying in mailboxes.
>>
>> Additionally at logout I get the message
>>
>> "PHP Error: Request security check failed
>> REQUEST CHECK FAILED
>> For your protection, access to this resource is secured against CSRF.
>> If you see this, you probably didn't log out before leaving the web
>> application.
>>
>> Human interaction is now required to continue."
>> Please contact your server-administrator.
>>
>> Commenting out the CSP line in https.conf fixed it.
>>
>> Currently using:
>>
>> Header set Content-Security-Policy "default-src 'self'; form-action 'self';
>> frame-ancestors 'self'; base-uri ‘self'
>>
>> Which fails.
>>
>> Is there a recommended CSP for Roundcube?
>>
>> thanks,
>>
>> James.
>> _______________________________________________
>> Roundcube Users mailing list
>> [hidden email]
>> http://lists.roundcube.net/mailman/listinfo/users
> _______________________________________________
> Roundcube Users mailing list
> [hidden email]
> http://lists.roundcube.net/mailman/listinfo/users


_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users

smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Content Security Policy for Roundcube

@lbutlr
On Oct 9, 2019, at 01:50, James Brown <[hidden email]> wrote:
>
> Any suggestions?

What happens if there is no htaccess file?
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Content Security Policy for Roundcube

roundcube--lists
In reply to this post by James Brown
Hi James,

my guess is, that the header configured in your .htaccess file is not overriding the one set in
http.conf. You can easily check this with Firefox or Chrome dev tools in the network tab.
Unfortunately Apache httpd documentation (@
https://httpd.apache.org/docs/current/mod/mod_headers.html) does not.

On 09.10.19 09:38, James Brown wrote:

> Still can’t get this to work.
>
> I’m using the .htaccess file in my roundcube/ root.
>
> Ie to override the CSP headers in http.conf (for all that Apache serves).
>
> No matter what I put I still get no messages in the mailboxes.
>
> Javascript Console shows:
>
> Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
> roundcube:57
>
> In apache_root/roundcube/.htaccess I have:
>
> Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';referrer no-referrer"
>

I would suggest to use "Header always set ..." or "Header unset Content-Security-Policy" before
setting it with a new value.

> httpd.conf has:
>
> Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; report-uri https://bordo.report-uri.com/r/d/csp/wizard"

My CSP header value is "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'unsafe-inline' 'self'; form-action 'self'; upgrade-insecure-requests;
block-all-mixed-content; report-uri....". Works for latest 1.3.x and 1.4.x-RC, with httpd 2.4.38
"header set" in my .htaccess is sufficient to set it.

hth,
Thomas
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Content Security Policy for Roundcube

David Mehler
Hello,

Here's some options I've set in my apache configuration and for my
setup roundcube does show messages.

Hth
Dave.

Header always set X-Frame-Options SAMEORIGIN

# Prevent Cross Site Scripting (XSS)
Header set X-XSS-Protection "1; mode=block"

# Prevent Mime Types Security risks
Header always set X-Content-Type-Options nosniff

# Content-Security-Policy
Header always set Content-Security-Policy "default-src 'self';
script-src 'self'; connect-src 'self'; img-src 'self'; style-src
'self'; frame-ancestors 'self'"

# Cross-domain-policy
Header set X-Permitted-Cross-Domain-Policies "none"

# Referer policy
Header always set Referrer-Policy "strict-origin"

# expect-ct policy
Header always set Expect-CT 'enforce, max-age=43200'


On 10/9/19, [hidden email]
<[hidden email]> wrote:

> Hi James,
>
> my guess is, that the header configured in your .htaccess file is not
> overriding the one set in
> http.conf. You can easily check this with Firefox or Chrome dev tools in the
> network tab.
> Unfortunately Apache httpd documentation (@
> https://httpd.apache.org/docs/current/mod/mod_headers.html) does not.
>
> On 09.10.19 09:38, James Brown wrote:
>> Still can’t get this to work.
>>
>> I’m using the .htaccess file in my roundcube/ root.
>>
>> Ie to override the CSP headers in http.conf (for all that Apache serves).
>>
>> No matter what I put I still get no messages in the mailboxes.
>>
>> Javascript Console shows:
>>
>> Refused to execute a script because its hash, its nonce, or
>> 'unsafe-inline' appears in neither the script-src directive nor the
>> default-src directive of the Content Security Policy.
>> roundcube:57
>>
>> In apache_root/roundcube/.htaccess I have:
>>
>> Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src
>> 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline';
>> img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors
>> 'self'; base-uri 'self'; form-action 'self';referrer no-referrer"
>>
>
> I would suggest to use "Header always set ..." or "Header unset
> Content-Security-Policy" before
> setting it with a new value.
>
>> httpd.conf has:
>>
>> Header set Content-Security-Policy "default-src 'self'; form-action
>> 'self'; frame-ancestors 'self'; base-uri 'self'; report-uri
>> https://bordo.report-uri.com/r/d/csp/wizard"
>
> My CSP header value is "default-src 'self'; script-src 'self'
> 'unsafe-inline' 'unsafe-eval';
> style-src 'unsafe-inline' 'self'; form-action 'self';
> upgrade-insecure-requests;
> block-all-mixed-content; report-uri....". Works for latest 1.3.x and
> 1.4.x-RC, with httpd 2.4.38
> "header set" in my .htaccess is sufficient to set it.
>
> hth,
> Thomas
> _______________________________________________
> Roundcube Users mailing list
> [hidden email]
> http://lists.roundcube.net/mailman/listinfo/users
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Content Security Policy for Roundcube

James Brown
In reply to this post by @lbutlr


> On 10 Oct 2019, at 2:16 am, LuKreme <[hidden email]> wrote:
>
> On Oct 9, 2019, at 01:50, James Brown <[hidden email]> wrote:
>>
>> Any suggestions?
>
> What happens if there is no htaccess file?
>

Hi LuKreme.

That’s what I had originally. The CSP Header in http.conf prevents Roundcube from working properly.

That’s why I was trying to use .htaccess in the roundcube directory to overwrite it.

James.



_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users

smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Content Security Policy for Roundcube

James Brown
In reply to this post by roundcube--lists
I think you could be right Thomas, as whatever I put into the .htaccess file doesn’t seem to make a difference.

Even tried putting:

<Directory “apache_root/roundcube">
Header unset Content-Security-Policy
</Directory>

In https.conf to no avail.

James.

On 10 Oct 2019, at 6:06 am, [hidden email] wrote:

Hi James,

my guess is, that the header configured in your .htaccess file is not overriding the one set in
http.conf. You can easily check this with Firefox or Chrome dev tools in the network tab.
Unfortunately Apache httpd documentation (@
https://httpd.apache.org/docs/current/mod/mod_headers.html) does not.

On 09.10.19 09:38, James Brown wrote:
Still can’t get this to work.

I’m using the .htaccess file in my roundcube/ root.

Ie to override the CSP headers in http.conf (for all that Apache serves).

No matter what I put I still get no messages in the mailboxes.

Javascript Console shows:

Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
roundcube:57

In apache_root/roundcube/.htaccess I have:

Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';referrer no-referrer"


I would suggest to use "Header always set ..." or "Header unset Content-Security-Policy" before
setting it with a new value.

httpd.conf has:

Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; report-uri https://bordo.report-uri.com/r/d/csp/wizard"

My CSP header value is "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'unsafe-inline' 'self'; form-action 'self'; upgrade-insecure-requests;
block-all-mixed-content; report-uri....". Works for latest 1.3.x and 1.4.x-RC, with httpd 2.4.38
"header set" in my .htaccess is sufficient to set it.

hth,
Thomas
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users


_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users

smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Content Security Policy for Roundcube

@lbutlr
On Oct 9, 2019, at 11:46 PM, James Brown <[hidden email]> wrote:
> I think you could be right Thomas, as whatever I put into the .htaccess file doesn’t seem to make a difference.

Sounds like your .htaccess file is not being processed then.

What is the AllowOverride directive in your http.conf for the roundcube directory or parent directory.

For example, my roundcube install is in /usr/local/www/roundcube and in http.conf I have

<Directory "/usr/local/www”>
  . . . stuff
  AllowOverride All
  . . . stuff
</Directory>



--
The thing standing in the way of your dreams is that the person having them is
*you* https://xkcd.com/1027/

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Content Security Policy for Roundcube

James Brown
Good suggestion.

Unfortunately it still doesn’t work.

In http.conf I put:

<Directory “path/to/sites/roundcube”
        AllowOverride All
</Directory>

But I would always get “.../roundcube/.htaccess: Header not allowed here”

So commented everything out of roundcube/.htaccess and in http.conf I put:

<Directory "path/to/sites/roundcube">
        AllowOverride All
        #Header unset Content-Security-Policy
        Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'unsafe-inline' 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content"
</Directory>

But still get:

[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. (roundcube, line 17)
[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. (roundcube, line 57)

Maddening!

James.

> On 11 Oct 2019, at 12:02 am, @lbutlr <[hidden email]> wrote:
>
> On Oct 9, 2019, at 11:46 PM, James Brown <[hidden email]> wrote:
>> I think you could be right Thomas, as whatever I put into the .htaccess file doesn’t seem to make a difference.
>
> Sounds like your .htaccess file is not being processed then.
>
> What is the AllowOverride directive in your http.conf for the roundcube directory or parent directory.
>
> For example, my roundcube install is in /usr/local/www/roundcube and in http.conf I have
>
> <Directory "/usr/local/www”>
>  . . . stuff
>  AllowOverride All
>  . . . stuff
> </Directory>
>
>
>
> --
> The thing standing in the way of your dreams is that the person having them is
> *you* https://xkcd.com/1027/
>
> _______________________________________________
> Roundcube Users mailing list
> [hidden email]
> http://lists.roundcube.net/mailman/listinfo/users


_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users

smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Content Security Policy for Roundcube

James Brown
In reply to this post by @lbutlr
Finally got this to work.

In http.conf I put:

<Directory “/parth/to/roundcube">
        AllowOverride All
        Options +Indexes
</Directory>

Then created /path/to/roundcube/.htaccess and it has:

Header unset Content-Security-Policy
Header always set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'"

Not sure if the first line with the ‘unset’ is needed.

After restarting Apache it works.

Hope that helps someone else.

James.


> On 11 Oct 2019, at 4:55 pm, James Brown <[hidden email]> wrote:
>
> Good suggestion.
>
> Unfortunately it still doesn’t work.
>
> In http.conf I put:
>
> <Directory “path/to/sites/roundcube”
> AllowOverride All
> </Directory>
>
> But I would always get “.../roundcube/.htaccess: Header not allowed here”
>
> So commented everything out of roundcube/.htaccess and in http.conf I put:
>
> <Directory "path/to/sites/roundcube">
> AllowOverride All
> #Header unset Content-Security-Policy
> Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'unsafe-inline' 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content"
> </Directory>
>
> But still get:
>
> [Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. (roundcube, line 17)
> [Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. (roundcube, line 57)
>
> Maddening!
>
> James.
>
>> On 11 Oct 2019, at 12:02 am, @lbutlr <[hidden email]> wrote:
>>
>> On Oct 9, 2019, at 11:46 PM, James Brown <[hidden email]> wrote:
>>> I think you could be right Thomas, as whatever I put into the .htaccess file doesn’t seem to make a difference.
>>
>> Sounds like your .htaccess file is not being processed then.
>>
>> What is the AllowOverride directive in your http.conf for the roundcube directory or parent directory.
>>
>> For example, my roundcube install is in /usr/local/www/roundcube and in http.conf I have
>>
>> <Directory "/usr/local/www”>
>> . . . stuff
>> AllowOverride All
>> . . . stuff
>> </Directory>
>>
>>
>>
>> --
>> The thing standing in the way of your dreams is that the person having them is
>> *you* https://xkcd.com/1027/
>>
>> _______________________________________________
>> Roundcube Users mailing list
>> [hidden email]
>> http://lists.roundcube.net/mailman/listinfo/users
>
>
> _______________________________________________
> Roundcube Users mailing list
> [hidden email]
> http://lists.roundcube.net/mailman/listinfo/users


_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users

smime.p7s (6K) Download Attachment