Roundcube html preview not working

Discussion in 'Plugins/Modules/Addons' started by Stelios, Nov 23, 2020.

Tags:
  1. Stelios

    Stelios Member HowtoForge Supporter

    Hi all,

    When I get a newsletter (no matter the recipient or the source of the content) I get a warning to allow the content which I do click to allow.
    The problem is that images on the newsletter are not loading at all while of course they do exist on the proper paths. Right click open image in new tab works fine and displays the image.
    Same newsletter if I forward it to my gmail account looks as it should (loads the images).
    I thought in the first place that some of my modsecurity rules was causing this but I put all servers under detectiononly mode and still the same.

    Anyone with an idea?
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Open the developer tools of your browser and go to console. Then load the mail and see if there are any errors in the console.
     
  3. Stelios

    Stelios Member HowtoForge Supporter

    The errors are the same in all newsletter but is not true, it throws 404 for images but the url is correct and working fine if I call it direct:
    Code:
    Failed to load resource: the server responded with a status of 404 (Photo not found)
    and also:
    Code:
    Refused to load the image 'https://mydomain.com/uploadimages/image/username/travel.png' because it violates the following Content Security Policy directive: "img-src 'self' data:".
    Forwarding the same email to any gmail, yahoo etc account works fine, it is only under ISPconfig that throws the above and doesn't work.
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  5. Stelios

    Stelios Member HowtoForge Supporter

    @Th0m this is the default installation as per docs under https://controlpanelserver:8080/webmail
    I don't want to change the url as is been used from many clients so far.
    Is there any solution without adding a new virtual host /url ?
     
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Set different csp headers for roundcube, you could do that in a .htaccess file for apache, or in vhost config for apache or nginx.
     
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    In /etc/apache2/sites-available/ispconfig.vhost comment out the "Header set Content-Security-Policy (...)" lines. But this will be overwritten on ISPConfig update.

    Though I think a better and future proof solution would be to create a separate website and communicate this to your customers (especially when they have issues like you report now). You can also set up a redirect for /webmail that goes to webmail.example.com.
     
  8. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I think you mean Roundcube ;)
    You could unset it aswell:
    Code:
    nano /var/lib/roundcube/.htaccess
    at the top, add
    add
    Code:
    Header unset Content-Security-Policy
     
    atle likes this.
  9. Stelios

    Stelios Member HowtoForge Supporter

    @Th0m Thanks a lot for the update; that worked fine.
     
    Th0m likes this.
  10. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Th0m likes this.
  11. Stelios

    Stelios Member HowtoForge Supporter

    @Jesse Norell from the first link they do have:
    Code:
    Header unset Content-Security-Policy
    Header always set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'"
    
    but even the user that is posted is not sure if the first line with the ‘unset’ is needed.
    Correct me if I'm wrong but all that content-security-policy can be grabbed from OWASP modsecurity rules as well if anyone have them in place.
     
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You should either set the header with specified settings, or unset it, not both.
     
  13. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    These CSP headers are a separate thing from modsecurity rules, this is strictly the http server instructing the http client how to act. The correct, or best settings are applications specific, you can't just grab a random set. Well, you could and try and it might work, but it's better to understand what each setting specifies and choose the most secure option for the application.

    Eg. in roundcube, you will be opening/viewing html that comes in email from any random source, so you sure don't want to allow it to open script from a remote site (which would be allowed if CSP were completely unset), and you really don't want to allow inline script either, but if roundcube itself uses inline script (I don't know if it does), you would have to allow 'unsafe-inline' or roundcube wouldn't function right. A better solution would be to change roundcube to not use inline script itself, so it didn't require allowing it in CSP. And it might do that, I'm just tossing this out as an example. I've not dug into this for roundcube yet, though I'd like to look at it more, as it is an important security setting.
     
  14. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Actually per the notes in I think the first thread I linked to, it required unsetting the header (which in our case would be set for what ISPConfig uses) before setting a new value, so doing both was correct. I've not tried it.
     

Share This Page