referrer and cspv2 policies and roundcube

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

referrer and cspv2 policies and roundcube

David Mehler
Hello,

I've upgraded my csp policy to v2 setup. My server is now being
contrary, ie11 is working just fine, letting me log in to roundcube
and deal with email sending. Chrome and Firefox are both hanging at
the login screen, with no errors. Whenever I comment out the loading
of this file things start working. Is there something in this file
that is notably wrong/misconfigured?

Also, when using roundcube and modsecurity 2.9.x are there any gochas
or things that need to be specially configured?

Thanks.
Dave.
#
# httpd-security.conf:
# Security hardening settings
#

# Disable ETag
# FileETag None doesn't work in all cases.
<IfModule mod_headers.c>
    Header unset ETag
</IfModule>
FileETag None

# Unset the server
Header unset Server

# Disable Trace http requests
TraceEnable off

# Set cookie with HttpOnly and Secure flag
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

# Prevent ClickJacking
# Deny outright
#Header always set X-Frame-Options DENY
# Roundcube needs this for displaying messages in tabs
#Header always set X-Frame-Options SAMEORIGIN

# Prevent Cross Site Scripting (XSS)
#Header set X-XSS-Protection "1; mode=block"

# Prevent Mime Types Security risks
# Enforce MIME types for script and style elements
Header always set X-Content-Type-Options nosniff

# Content-Security-Policy
#Header always set Content-Security-Policy "default-src 'self';
script-src 'self'; connect-src 'self'; img-src 'self'; style-src
'self'; frame-ancestors 'self'"
# Enable Content Security Policy (Level 2)
Header always set Content-Security-Policy "default-src 'none'; img-src
'self'; style-src 'self'; font-src 'self'; base-uri 'none';
frame-ancestors 'none'; form-action 'none'"

# Disable Referrer which isn't needed when you don't use authentication
#Header always set Referrer-Policy "no-referrer"
Header always set Referrer-Policy "strict-origin"

# Cross-domain-policy
Header set X-Permitted-Cross-Domain-Policies "none"

# Referer policy
#Header always set Referrer-Policy "strict-origin"

# expect-ct policy
Header always set Expect-CT 'enforce, max-age=43200'

# Enable HSTS
Header always set Strict-Transport-Security "max-age=31536000;
includeSubDomains; preload" env=HTTPS

# unset the server powered by header
Header unset X-Powered-By
Header always unset X-Powered-By

# Disable HTTP 1.0 protocol
RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]

# For mod security
#<IfModule security3_module>
#Include /usr/local/etc/modsecurity/*.conf
# Load the base Owasp rules
#Include etc/modsecurity/owasp-modsecurity-crs/rules/*.conf
#</IfModule>

# mod_evasive
#<IfModule mod_evasive20.c>
#DOSHashTableSize    3097
#DOSPageCount        2
#DOSSiteCount        50
#DOSPageInterval     1
#DOSSiteInterval     1
#DOSBlockingPeriod   60
#DOSEmailNotify [hidden email]
#DOSWhitelist   127.0.0.1
#DOSSystemCommand '/sbin/pfctl -t evasive -T add %s'
#</IfModule>

# Send the CORS header for images when browsers request it.
#
# https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image
# https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html
<IfModule mod_setenvif.c>
    <IfModule mod_headers.c>
        <FilesMatch "\.(bmp|cur|gif|ico|jpe?g|png|svgz?|webp)$">
            SetEnvIf Origin ":" IS_CORS
            Header set Access-Control-Allow-Origin "*" env=IS_CORS
        </FilesMatch>
    </IfModule>
</IfModule>

# Allow cross-origin access to web fonts.
#
# https://developers.google.com/fonts/docs/troubleshooting
<IfModule mod_headers.c>
    <FilesMatch "\.(eot|otf|tt[cf]|woff2?)$">
        Header set Access-Control-Allow-Origin "*"
    </FilesMatch>
</IfModule>

# Serve resources with the proper media types (f.k.a. MIME types).
#
# https://www.iana.org/assignments/media-types/media-types.xhtml
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype
<IfModule mod_mime.c>
  # Data interchange
    AddType application/atom+xml                        atom
    AddType application/json                            json map topojson
    AddType application/ld+json                         jsonld
    AddType application/rss+xml                         rss
    AddType application/geo+json                        geojson
    AddType application/rdf+xml                         rdf
    AddType application/xml                             xml
  # JavaScript
    # Servers should use text/javascript for JavaScript resources.
    # https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages
    AddType text/javascript                             js mjs
  # Manifest files
    AddType application/manifest+json                   webmanifest
    AddType application/x-web-app-manifest+json         webapp
    AddType text/cache-manifest                         appcache
  # Media files
    AddType audio/mp4                                   f4a f4b m4a
    AddType audio/ogg                                   oga ogg opus
    AddType image/bmp                                   bmp
    AddType image/svg+xml                               svg svgz
    AddType image/webp                                  webp
    AddType video/mp4                                   f4v f4p m4v mp4
    AddType video/ogg                                   ogv
    AddType video/webm                                  webm
    AddType video/x-flv                                 flv
    # Serving `.ico` image files with a different media type
    # prevents Internet Explorer from displaying them as images:
    # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee
    AddType image/x-icon                                cur ico
  # WebAssembly
    AddType application/wasm                            wasm
  # Web fonts
    AddType font/woff                                   woff
    AddType font/woff2                                  woff2
    AddType application/vnd.ms-fontobject               eot
    AddType font/ttf                                    ttf
    AddType font/collection                             ttc
    AddType font/otf                                    otf
  # Other
    AddType application/octet-stream                    safariextz
    AddType application/x-bb-appworld                   bbaw
    AddType application/x-chrome-extension              crx
    AddType application/x-opera-extension               oex
    AddType application/x-xpinstall                     xpi
    AddType text/calendar                               ics
    AddType text/markdown                               markdown md
    AddType text/vcard                                  vcard vcf
    AddType text/vnd.rim.location.xloc                  xloc
    AddType text/vtt                                    vtt
    AddType text/x-component                            htc
</IfModule>

# Serve all resources labeled as `text/html` or `text/plain`
# with the media type `charset` parameter set to `UTF-8`.
#
# https://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset
AddDefaultCharset utf-8

# Serve the following file types with the media type `charset`
# parameter set to `UTF-8`.
#
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset
<IfModule mod_mime.c>
    AddCharset utf-8 .appcache \
                     .bbaw \
                     .css \
                     .htc \
                     .ics \
                     .js \
                     .json \
                     .manifest \
                     .map \
                     .markdown \
                     .md \
                     .mjs \
                     .topojson \
                     .vtt \
                     .vcard \
                     .vcf \
                     .webmanifest \
                     .xloc
</IfModule>

# Block access to directories without a default document.
#
# You should leave the following uncommented, as you shouldn't allow
# anyone to surf through every directory on your server (which may
# includes rather private places such as the CMS's directories).
<IfModule mod_autoindex.c>
    Options -Indexes
</IfModule>

# A web application uses HTTPS and a URL-based session identifier.
# The web application might wish to link to HTTPS resources on other
# web sites without leaking the user's session identifier in the URL.
#
# This can be done by setting a `Referrer Policy` which
# whitelists trusted sources of content for your website.
#
# To check your referrer policy, you can use an online service
# such as: https://securityheaders.io/.
#
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
<IfModule mod_headers.c>
    # no-referrer-when-downgrade (default)
    # This should be the user agent's default behavior if no policy is
    # specified.The origin is sent as referrer to a-priori as-much-secure
    # destination (HTTPS->HTTPS), but isn't sent to a less secure destination
    # (HTTPS->HTTP).
    Header set Referrer-Policy "no-referrer-when-downgrade"
"expr=%{CONTENT_TYPE} =~ m#text/html#i"
</IfModule>

    # Compress all output labeled with one of the following media types.
    #
    # https://httpd.apache.org/docs/current/mod/mod_filter.html#addoutputfilterbytype
    <IfModule mod_filter.c>
        AddOutputFilterByType DEFLATE "application/atom+xml" \
                                      "application/javascript" \
                                      "application/json" \
                                      "application/ld+json" \
                                      "application/manifest+json" \
                                      "application/rdf+xml" \
                                      "application/rss+xml" \
                                      "application/schema+json" \
                                      "application/geo+json" \
                                      "application/vnd.ms-fontobject" \
                                      "application/wasm" \
                                      "application/x-font-ttf" \
                                      "application/x-javascript" \
                                      "application/x-web-app-manifest+json" \
                                      "application/xhtml+xml" \
                                      "application/xml" \
                                      "font/eot" \
                                      "font/opentype" \
                                      "font/otf" \
                                      "image/bmp" \
                                      "image/svg+xml" \
                                      "image/vnd.microsoft.icon" \
                                      "text/cache-manifest" \
                                      "text/calendar" \
                                      "text/css" \
                                      "text/html" \
                                      "text/javascript" \
                                      "text/plain" \
                                      "text/markdown" \
                                      "text/vcard" \
                                      "text/vnd.rim.location.xloc" \
                                      "text/vtt" \
                                      "text/x-component" \
                                      "text/x-cross-domain-policy" \
                                      "text/xml"
    </IfModule>

    # Map the following filename extensions to the specified
    # encoding type in order to make Apache serve the file types
    # with the appropriate `Content-Encoding` response header
    # (do note that this will NOT make Apache compress them!).
    #
    # If these files types would be served without an appropriate
    # `Content-Enable` response header, client applications (e.g.:
    # browsers) wouldn't know that they first need to uncompress
    # the response, and thus, wouldn't be able to understand the
    # content.
    #
    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding
    # https://httpd.apache.org/docs/current/mod/mod_mime.html#addencoding
    <IfModule mod_mime.c>
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: referrer and cspv2 policies and roundcube

Sophie Loewenthal
Hi,

If you are hitting modsec rules, these ought to be logged in a file. Forgotten file name because it's been awhile . The logging of blocking rules must be enabled in the .conf somewhere. At least this was the case years ago.

At least this can rule out modsec.

 sent from phone, thus brief

On 12 Apr 2020, at 5:08 pm, David Mehler <[hidden email]> wrote:

Hello,

I've upgraded my csp policy to v2 setup. My server is now being
contrary, ie11 is working just fine, letting me log in to roundcube
and deal with email sending. Chrome and Firefox are both hanging at
the login screen, with no errors. Whenever I comment out the loading
of this file things start working. Is there something in this file
that is notably wrong/misconfigured?

Also, when using roundcube and modsecurity 2.9.x are there any gochas
or things that need to be specially configured?

Thanks.
Dave.
#
# httpd-security.conf:
# Security hardening settings
#

# Disable ETag
# FileETag None doesn't work in all cases.
<IfModule mod_headers.c>
   Header unset ETag
</IfModule>
FileETag None

# Unset the server
Header unset Server

# Disable Trace http requests
TraceEnable off

# Set cookie with HttpOnly and Secure flag
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

# Prevent ClickJacking
# Deny outright
#Header always set X-Frame-Options DENY
# Roundcube needs this for displaying messages in tabs
#Header always set X-Frame-Options SAMEORIGIN

# Prevent Cross Site Scripting (XSS)
#Header set X-XSS-Protection "1; mode=block"

# Prevent Mime Types Security risks
# Enforce MIME types for script and style elements
Header always set X-Content-Type-Options nosniff

# Content-Security-Policy
#Header always set Content-Security-Policy "default-src 'self';
script-src 'self'; connect-src 'self'; img-src 'self'; style-src
'self'; frame-ancestors 'self'"
# Enable Content Security Policy (Level 2)
Header always set Content-Security-Policy "default-src 'none'; img-src
'self'; style-src 'self'; font-src 'self'; base-uri 'none';
frame-ancestors 'none'; form-action 'none'"

# Disable Referrer which isn't needed when you don't use authentication
#Header always set Referrer-Policy "no-referrer"
Header always set Referrer-Policy "strict-origin"

# Cross-domain-policy
Header set X-Permitted-Cross-Domain-Policies "none"

# Referer policy
#Header always set Referrer-Policy "strict-origin"

# expect-ct policy
Header always set Expect-CT 'enforce, max-age=43200'

# Enable HSTS
Header always set Strict-Transport-Security "max-age=31536000;
includeSubDomains; preload" env=HTTPS

# unset the server powered by header
Header unset X-Powered-By
Header always unset X-Powered-By

# Disable HTTP 1.0 protocol
RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]

# For mod security
#<IfModule security3_module>
#Include /usr/local/etc/modsecurity/*.conf
# Load the base Owasp rules
#Include etc/modsecurity/owasp-modsecurity-crs/rules/*.conf
#</IfModule>

# mod_evasive
#<IfModule mod_evasive20.c>
#DOSHashTableSize    3097
#DOSPageCount        2
#DOSSiteCount        50
#DOSPageInterval     1
#DOSSiteInterval     1
#DOSBlockingPeriod   60
#DOSEmailNotify [hidden email]
#DOSWhitelist   127.0.0.1
#DOSSystemCommand '/sbin/pfctl -t evasive -T add %s'
#</IfModule>

# Send the CORS header for images when browsers request it.
#
# https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image
# https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html
<IfModule mod_setenvif.c>
   <IfModule mod_headers.c>
       <FilesMatch "\.(bmp|cur|gif|ico|jpe?g|png|svgz?|webp)$">
           SetEnvIf Origin ":" IS_CORS
           Header set Access-Control-Allow-Origin "*" env=IS_CORS
       </FilesMatch>
   </IfModule>
</IfModule>

# Allow cross-origin access to web fonts.
#
# https://developers.google.com/fonts/docs/troubleshooting
<IfModule mod_headers.c>
   <FilesMatch "\.(eot|otf|tt[cf]|woff2?)$">
       Header set Access-Control-Allow-Origin "*"
   </FilesMatch>
</IfModule>

# Serve resources with the proper media types (f.k.a. MIME types).
#
# https://www.iana.org/assignments/media-types/media-types.xhtml
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype
<IfModule mod_mime.c>
 # Data interchange
   AddType application/atom+xml                        atom
   AddType application/json                            json map topojson
   AddType application/ld+json                         jsonld
   AddType application/rss+xml                         rss
   AddType application/geo+json                        geojson
   AddType application/rdf+xml                         rdf
   AddType application/xml                             xml
 # JavaScript
   # Servers should use text/javascript for JavaScript resources.
   # https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages
   AddType text/javascript                             js mjs
 # Manifest files
   AddType application/manifest+json                   webmanifest
   AddType application/x-web-app-manifest+json         webapp
   AddType text/cache-manifest                         appcache
 # Media files
   AddType audio/mp4                                   f4a f4b m4a
   AddType audio/ogg                                   oga ogg opus
   AddType image/bmp                                   bmp
   AddType image/svg+xml                               svg svgz
   AddType image/webp                                  webp
   AddType video/mp4                                   f4v f4p m4v mp4
   AddType video/ogg                                   ogv
   AddType video/webm                                  webm
   AddType video/x-flv                                 flv
   # Serving `.ico` image files with a different media type
   # prevents Internet Explorer from displaying them as images:
   # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee
   AddType image/x-icon                                cur ico
 # WebAssembly
   AddType application/wasm                            wasm
 # Web fonts
   AddType font/woff                                   woff
   AddType font/woff2                                  woff2
   AddType application/vnd.ms-fontobject               eot
   AddType font/ttf                                    ttf
   AddType font/collection                             ttc
   AddType font/otf                                    otf
 # Other
   AddType application/octet-stream                    safariextz
   AddType application/x-bb-appworld                   bbaw
   AddType application/x-chrome-extension              crx
   AddType application/x-opera-extension               oex
   AddType application/x-xpinstall                     xpi
   AddType text/calendar                               ics
   AddType text/markdown                               markdown md
   AddType text/vcard                                  vcard vcf
   AddType text/vnd.rim.location.xloc                  xloc
   AddType text/vtt                                    vtt
   AddType text/x-component                            htc
</IfModule>

# Serve all resources labeled as `text/html` or `text/plain`
# with the media type `charset` parameter set to `UTF-8`.
#
# https://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset
AddDefaultCharset utf-8

# Serve the following file types with the media type `charset`
# parameter set to `UTF-8`.
#
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset
<IfModule mod_mime.c>
   AddCharset utf-8 .appcache \
                    .bbaw \
                    .css \
                    .htc \
                    .ics \
                    .js \
                    .json \
                    .manifest \
                    .map \
                    .markdown \
                    .md \
                    .mjs \
                    .topojson \
                    .vtt \
                    .vcard \
                    .vcf \
                    .webmanifest \
                    .xloc
</IfModule>

# Block access to directories without a default document.
#
# You should leave the following uncommented, as you shouldn't allow
# anyone to surf through every directory on your server (which may
# includes rather private places such as the CMS's directories).
<IfModule mod_autoindex.c>
   Options -Indexes
</IfModule>

# A web application uses HTTPS and a URL-based session identifier.
# The web application might wish to link to HTTPS resources on other
# web sites without leaking the user's session identifier in the URL.
#
# This can be done by setting a `Referrer Policy` which
# whitelists trusted sources of content for your website.
#
# To check your referrer policy, you can use an online service
# such as: https://securityheaders.io/.
#
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
<IfModule mod_headers.c>
   # no-referrer-when-downgrade (default)
   # This should be the user agent's default behavior if no policy is
   # specified.The origin is sent as referrer to a-priori as-much-secure
   # destination (HTTPS->HTTPS), but isn't sent to a less secure destination
   # (HTTPS->HTTP).
   Header set Referrer-Policy "no-referrer-when-downgrade"
"expr=%{CONTENT_TYPE} =~ m#text/html#i"
</IfModule>

   # Compress all output labeled with one of the following media types.
   #
   # https://httpd.apache.org/docs/current/mod/mod_filter.html#addoutputfilterbytype
   <IfModule mod_filter.c>
       AddOutputFilterByType DEFLATE "application/atom+xml" \
                                     "application/javascript" \
                                     "application/json" \
                                     "application/ld+json" \
                                     "application/manifest+json" \
                                     "application/rdf+xml" \
                                     "application/rss+xml" \
                                     "application/schema+json" \
                                     "application/geo+json" \
                                     "application/vnd.ms-fontobject" \
                                     "application/wasm" \
                                     "application/x-font-ttf" \
                                     "application/x-javascript" \
                                     "application/x-web-app-manifest+json" \
                                     "application/xhtml+xml" \
                                     "application/xml" \
                                     "font/eot" \
                                     "font/opentype" \
                                     "font/otf" \
                                     "image/bmp" \
                                     "image/svg+xml" \
                                     "image/vnd.microsoft.icon" \
                                     "text/cache-manifest" \
                                     "text/calendar" \
                                     "text/css" \
                                     "text/html" \
                                     "text/javascript" \
                                     "text/plain" \
                                     "text/markdown" \
                                     "text/vcard" \
                                     "text/vnd.rim.location.xloc" \
                                     "text/vtt" \
                                     "text/x-component" \
                                     "text/x-cross-domain-policy" \
                                     "text/xml"
   </IfModule>

   # Map the following filename extensions to the specified
   # encoding type in order to make Apache serve the file types
   # with the appropriate `Content-Encoding` response header
   # (do note that this will NOT make Apache compress them!).
   #
   # If these files types would be served without an appropriate
   # `Content-Enable` response header, client applications (e.g.:
   # browsers) wouldn't know that they first need to uncompress
   # the response, and thus, wouldn't be able to understand the
   # content.
   #
   # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding
   # https://httpd.apache.org/docs/current/mod/mod_mime.html#addencoding
   <IfModule mod_mime.c>
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users