the-djmaze
commented
2 months ago You are missing the frame-ancestors setting in content_security_policy in the application.ini
Closed UNICodehORN closed 1 month ago
the-djmaze
commented
2 months ago You are missing the frame-ancestors setting in content_security_policy in the application.ini
Describe the bug In rainloop it was possible to display webmail in a frame without setting any special option. With snappymail I get a "X-Frame Deny" after upgrading.
To Reproduce Include snappymail in an iframe
Expected behavior Snappymail should be loaded.
Additional context Problem seems to be in csp.php in line 87 and following, there the option is set to "DENY". Not sure why the else clause was commented out. I guess best practice would be to set a config like "allow display in frame". And then add this case in csp.php.