Roundcube Embedded Images CSP Issue

Mindwatering Incorporated

Author: Tripp W Black

Created: 08/06 at 02:06 PM



Embedded images are no longer display, with the "Show Images" button in Roundcube email. An inspection of the page, and a look at the browser console confirmed the issue is due to Content Security Policy (CSP).

The lines look like:
Content Security Policy The page's settings blocked the loading of a resource <resource url>

One Solution:
Roundcube mostly leaves this up to the server administration. There are a few recommended settings to be enabled in the hidden /var/lib/roundcube/.htaccess file, and general security settings to the /var/lib/roundcube/apache.conf, as well.
In Ubuntu 18 and Ubuntu 20, the install is split, but the applicable configurable items are in /var/lib/roundcube.

1. Update the .htaccess Apache file's following sections by removing the # comment from the beginning of the bolded lines below.
$ sudo vi /var/lib/roundcube/.htaccess
# X-Xss-Protection
# This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit).
Header set X-XSS-Protection "1; mode=block"

# X-Frame-Options
# The X-Frame-Options header (RFC), or XFO header, protects your visitors against clickjacking attacks
# Already set by php code! Do not activate both options
Header set X-Frame-Options SAMEORIGIN

# X-Content-Type-Options
# It prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server.
Header set X-Content-Type-Options: "nosniff"

# CSP - Content Security Policy
# for better privacy/security ask browsers to not set the Referer
# more flags for script, stylesheets and images available, read RFC for more information
# Note: "Referrer-Policy: same-origin" is already set by php code.
Header set Content-Security-Policy "referrer no-referrer"

Save with: <esc>:wq

2. Update the Roundcube apache.conf and add the security headers. Update to your own environmental needs.
Within the apache.conf, we need to update the <Directory /var/lib/roundcube/> directive, and add the Header directives.

$ sudo vi /var/lib/roundcube/apache.conf
<Directory /var/lib/roundcube/>
Options +FollowSymLinks
# This is needed to parse /var/lib/roundcube/.htaccess. See its
# content before setting AllowOverride to None.
AllowOverride All
<IfVersion >= 2.3>
Require all granted
<IfVersion < 2.3>
Order allow,deny
Allow from all
AddType application/x-httpd-php .php
Header always set X-XSS-Protection "1; mode=block"
Header always set x-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set Content-Security-Policy "default-src 'self'; font-src *; img-src * https: http:; media-src *; script-src 'self' 'unsafe-inline' 'unsafe-eval' * *; style-src * 'unsafe-inline'; frame-src 'self'; frame-ancestors 'self';"
Header always set Referrer-Policy "strict-origin"

Save with: <esc>:wq

3. Reload apache2 and test
$ sudo systemctl reload apache2

previous page