WebMail Lite Documentation

Content-Security-Policy

Starting from v8.5.1, WebMail Lite supports sending Content-Security-Policy header which helps preventing from cross-site scripting, clickjacking, code injection attacks. CSP instruct browser to load content from only allowed source.

Starting from 8.5.3

If you require enabling Content-Security-Policy feature, make sure ContentSecurityPolicy setting in data/settings/modules/CoreWebclient.config.json configuration file is set to the following secure value:

"ContentSecurityPolicy": [
    "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; img-src * data: blob:; frame-src *; font-src 'self' data:",
    "string",
    null,
    "Specifies CSP header used for protection from cross-site scripting, clickjacking, code injection attacks"
],

As you can see, it's a complex value which is a combination of the following values:

  • default-src 'self';
    Required. Base setting, permits loading content (images, JS files etc.) from the same domain.
  • default-src 'unsafe-eval';
    Required due to use of KnockoutJS framework.
  • default-src 'unsafe-inline';
    Required. Used for injecting JS with variables into HTML.
  • img-src *;
    Allows displaying images in messages.
  • img-src data:;
    Used for images in signature and messages, image in IOS module, <link rel="shortcut icon">.
  • default-src blob:; img-src blob:;
    Used in encrypted files.
  • frame-src *;
    Used for shortcuts in Files.
  • font-src 'self' data:;
    OpenPgpFilesWebclient video-JS vendor (public link for file)

So for instance, if you don't require use of encrypted files or file shortcuts, you can remove respective values from the combined CSP header value.

If you wish to disable sending Content-Security-Policy header, set ContentSecurityPolicy setting in data/settings/modules/CoreWebclient.config.json file to empty string.

Prior to 8.5.3

By default, the feature is enabled and CSP header is set to a secure value configured in data/settings/config.json file:

"ContentSecurityPolicy": [
    "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; img-src * data:; frame-src *",
    "string"
],


To disable sending this header, set the value to empty string.