Issue:
Embedded images are no longer display, with the "Show Images" button in Roundcube email. An inspection of the page, and a look at the browser console confirmed the issue is due to Content Security Policy (CSP).
The lines look like:
Content Security Policy The page's settings blocked the loading of a resource <resource url>
One Solution:
Roundcube mostly leaves this up to the server administration. There are a few recommended settings to be enabled in the hidden /var/lib/roundcube/.htaccess file, and general security settings to the /var/lib/roundcube/apache.conf, as well.
In Ubuntu 18 and Ubuntu 20, the install is split, but the applicable configurable items are in /var/lib/roundcube.
1. Update the .htaccess Apache file's following sections by removing the # comment from the beginning of the bolded lines below.
$ sudo vi /var/lib/roundcube/.htaccess
...
# X-Xss-Protection
# This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit).
Header set X-XSS-Protection "1; mode=block"
# X-Frame-Options
# The X-Frame-Options header (RFC), or XFO header, protects your visitors against clickjacking attacks
# Already set by php code! Do not activate both options
Header set X-Frame-Options SAMEORIGIN
# X-Content-Type-Options
# It prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server.
Header set X-Content-Type-Options: "nosniff"
# CSP - Content Security Policy
# for better privacy/security ask browsers to not set the Referer
# more flags for script, stylesheets and images available, read RFC for more information
# Note: "Referrer-Policy: same-origin" is already set by php code.
Header set Content-Security-Policy "referrer no-referrer"
Save with: <esc>:wq
2. Update the Roundcube apache.conf and add the security headers. Update to your own environmental needs.
Within the apache.conf, we need to update the <Directory /var/lib/roundcube/> directive, and add the Header directives.
$ sudo vi /var/lib/roundcube/apache.conf
...
<Directory /var/lib/roundcube/>
Options +FollowSymLinks
# This is needed to parse /var/lib/roundcube/.htaccess. See its
# content before setting AllowOverride to None.
AllowOverride All
<IfVersion >= 2.3>
Require all granted
</IfVersion>
<IfVersion < 2.3>
Order allow,deny
Allow from all
</IfVersion>
AddType application/x-httpd-php .php
Header always set X-XSS-Protection "1; mode=block"
Header always set x-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set Content-Security-Policy "default-src 'self'; font-src *; img-src * https: http:; media-src *; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.mindwatering.com *.mindwatering.net; style-src * 'unsafe-inline'; frame-src 'self' myserver.mindwatering.net; frame-ancestors 'self' myserver.mindwatering.net;"
Header always set Referrer-Policy "strict-origin"
</Directory>
Save with: <esc>:wq
3. Reload apache2 and test
$ sudo systemctl reload apache2
previous page
|