Blocking external content using CSP enhanced

[pboguslawski]

Proposed change

CPS header changed to better block loading external content.

Znuny tries to filter external content in HTML e-mails using perl regexps; this way its difficult to predict and block all HTML/JS/CSS quirks, i.e. Znuny does not block remote image loading if used in CSS like this

<div style="background:url('http://badspammer.com/tracking/1/TrackRead.aspx?mail_id=1F4CA3DD-24E0-4C14-B631-A7567EAA5D83')"></div>

which may allow spammers to notice that their junk was read by receiver.

Using Content Security Policy described on http://www.html5rocks.com/en/tutorials/security/content-security-policy/ seems to be proper way of blocking external content in iframes. According to https://content-security-policy.com/ it should work fine in modern browsers.

This mod adds

Content-Security-Policy: default-src 'self'; style-src 'unsafe-inline'

HTTP header for iframes with HTML e-mails which forces modern web browsers to block all external and inline content except inline styling (used often in html e-mails). CSP header is not added if user explicitly unlocks external content using link provided by Znuny.

In future it may be good idea to drop Znuny own filtering to offload this task from busy application servers (parsing huge HTML content may cause problems...) to web browsers.

Type of change

• '1 - 🚀 feature' - New feature (which adds functionality to an existing integration)

Additional information

Related: https://github.com/OTRS/otrs/pull/1501 Author-Change-Id: IB#1047017

Checklist

• [x] The code change is tested and works locally.(❗)
• [x] There is no commented out code in this PR.(❕)
• [x] You improved or added new unit tests.(❕)
• [x] Local ZnunyCodePolicy passed.(❕)
• [x] Local UnitTests / Selenium passed.(❕)
• [ ] GitHub workflow CI (UnitTests / Selenium) passed.(❗)