Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support CSP nonces in message frames so that unsafe-inline isn't required. #6281

Open
ryancdotorg opened this issue May 4, 2018 · 6 comments · May be fixed by #9513
Open

Support CSP nonces in message frames so that unsafe-inline isn't required. #6281

ryancdotorg opened this issue May 4, 2018 · 6 comments · May be fixed by #9513
Labels
C: Security enhancement
Milestone
later

Comments

@ryancdotorg
Copy link

Trying for a much more narrowly scoped version of #6202.

The message preview and message content frames each have one big inline script at the top. Adding a nonce attribute to this, and a Content-Security-Policy header with said nonce should be fairly straightforward.

The tricky bit is that there are event handlers added in-line to various elements on the page, mainly via <roundcube:button command="whatever" ... />, though there's an onmouseover defined for the subject line in the default theme.

Perhaps the inline event handlers could be replaced with data-* attributes that an otherwise allowed script can use to make the required addEventListener calls?
@ryancdotorg ryancdotorg changed the title Support CPS nonces in message frames so that unsafe-inline isn't required. Support CSP nonces in message frames so that unsafe-inline isn't required. May 5, 2018
@alecpl
Copy link
Member

alecpl commented May 6, 2018

Yes, it could be done this way. We're open for pull requests.

@alecpl alecpl added this to the later milestone May 6, 2018
@pezz
Copy link

pezz commented Jan 25, 2019

Hi gang, is there any movement on this?

I've recently been looking at having a good Content-Security-Policy header on my server, yet Roundcube is one of the big ticket items for me that does not work without 'unsafe-inline' and 'unsafe-eval'.

Cheers.

@Offerel
Copy link

Offerel commented Jul 11, 2019

Is that on the 4.x roadmap?

@jameslbrown
Copy link

Any news on this?

@Offerel
Copy link

Offerel commented Dec 5, 2019

Using nonces isn't really a problem for all the inline <script tags. This can be done server side. So its possible to remove unsafe-inline from CSP header. The only problem are this nasty inline event handlers. Its not that easy to remove this and replace them with some alternative. I tryed it today but i failed.

@ryancdotorg
Copy link
Author

@Offerel If attaching event listeners to each element is too much trouble, you could set passive mouseover and click handlers on the window object and then do dispatch based on the data-* attributes.

@alecpl alecpl mentioned this issue Jun 3, 2020
Closed
@pabzm pabzm linked a pull request Nov 5, 2024 that will close this issue
Remove inline Javascript, part I #9513
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: Security enhancement
Projects
None yet
Milestone
later
Development

Successfully merging a pull request may close this issue.

Remove inline Javascript, part I pabzm/roundcubemail
5 participants
@pezz @alecpl @ryancdotorg @jameslbrown @Offerel