Document a working Content-Security-Policy

pabzm commented 2 weeks ago

Prerequisites

[X] I have searched for duplicate or closed feature requests
[X] I have searched for plugins that provide already provide the feature

Proposal

We should document a Content-Security-Policy, that is a strict as possible without breaking any usage of Roundcube.

Motivation and context

These days, CSPs are a relevant part of web security. We should help people with that. It might also reduce the number of issues in which people have problems due to a CSP, or having questions about it.

pabzm commented 2 weeks ago

This was inspired by #9634

pabzm commented 2 weeks ago

We could start to include a CSP in all our HTTP Headers, too, and then send a stricter one unless remote objects are allowed!

roundcube / roundcubemail