Probable bug on roundcube default Content-Security-Policy
We see that if we use the webmail from the default URL of the server:
https://nameoftheserver:8081/webmail
basically no image are opened from the webmail. Because rise a policy error for "Content-Security-Policy", like:
Content-Security-Policy: Download a resource from https://external-url/9/9d08eac.png it was blocked by the page settings (“img-src”).
In my opinion the configuration here:
-- /etc/apache2/sites-available/apps.vhost
Row: 31
# ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
should be a little bit more relaxed like:
# ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
Header set Content-Security-Policy "'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'"
otherwise basically the webmail from the default url is useless for html mail. And this is a problem, because we are trying to keep our installation as standard as possible. We known that we can use a different host to access webmail (like webmail.domain.com or something like that) but imho that should be fixed also on the main host above.
Tell me you thoughts about. Thank's.