Send a configurable CSP in every HTML response

The CSP gets adapted to remote objects being allowed or not. It can be configured or disabled via the config option `content_security_policy` (and `content_security_policy_add_allow_remote`).
roundcube · Oct 7, 2024 · e7c37da · e7c37da
1 parent 6b64eab
commit e7c37da
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/config/defaults.inc.php b/config/defaults.inc.php
@@ -1563,3 +1563,14 @@
 // 0 - Reply-All always
 // 1 - Reply-List if mailing list is detected
 $config['reply_all_mode'] = 0;
+
+// The Content-Security-Policy to use if no remote objects are allowed to
+// be loaded. If you use plugins you might need to extend this.
+// Only change this if you know what you're doing! You can break the whole
+// application with changes to this setting!
+// To disable completely set the value to `false`;
+$config['content_security_policy'] = "default-src 'self' data: blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';";
+
+// Additions to the Content-Security-Policy to use if remote objects *are*
+// allowed to be loaded.
+$config['content_security_policy_add_allow_remote'] = 'img-src *; media-src *; font-src: *; frame-src: *;';
diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
@@ -728,6 +728,8 @@ public function page_headers()
                 $this->header('X-Frame-Options: sameorigin', true);
             }
         }
+
+        $this->add_csp_header();
     }
 
     /**
@@ -2717,4 +2719,19 @@ protected function get_template_logo($type = null, $match = null)
 
         return $template_logo;
     }
+
+    /**
+     * Add the Content-Security-Policy to the HTTP response headers (unless it
+     * is disabled).
+     */
+    protected function add_csp_header(): void {
+        $csp = $this->app->config->get('content_security_policy');
+        if (!in_array($csp, ['', false, 'false'])) {
+            $csp_header = "Content-Security-Policy: $csp";
+            if (isset($this->env['safemode']) && $this->env['safemode'] === true) {
+                $csp_header .= $this->app->config->get('content_security_policy_add_allow_remote');
+            }
+            $this->header($csp_header);
+        }
+    }
 }