Roundcube 1.6.5 Loading the image violates the following Content Security Policy

Hi all! I have upgraded my roundcube 3 days ago. Since than the images does not show in the emails
I got error:

Loading the image '<URL>' violates the following Content Security Policy directive: "img-src 'self' data:". The action has been blocked.

I have tried:
/etc/apache2/conf-enabled/roundcube.conf
Header always set Content-Security-Policy "img-src 'self' data: http: https:;"

/etc/roundcube/config.inc.php
$config['csp_img_src'] = "'self' data: http: https:";
$config['content_security_policy'] = "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: http: https:; style-src 'self' 'unsafe-inline';";
$config['show_images'] = 1;

/etc/roundcube/htaccess
Header always set Content-Security-Policy "img-src 'self' data: http: https:;"

Still nothing. Did anyone has the same error?

 

You do not say what operating system and what version is running on that host. You do not say what version of ISPConfig is used. You do not say what was version of Roundcube before and after the upgrade.
How did you do the upgrade?
It may well be ISPConfig supports only the version of Roundcube that comes with the version of operating system you are using.
Does it help if you do ispconfig_update.sh --force and let it reconfigure services when it asks?

 

The problem was the ISPConfig conf file.
If I called the roundcube via userdomain.ua/webmail it worked, all the pictures in the emails loaded.
If i called the roundcube via the ispconfig url maindomain.ua:8080/webmail the pictures got blocked.
I think this blocked caused it:


<IfModule mod_headers.c>
# ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
Header set X-Content-Type-Options: nosniff
Header set X-Frame-Options: SAMEORIGIN
Header set X-XSS-Protection: "1; mode=block"
Header always edit Set-Cookie (.*) "$1; HTTPOnly"
Header always edit Set-Cookie (.*) "$1; Secure"
<IfVersion >= 2.4.7>
Header setifempty Strict-Transport-Security "max-age=15768000"
</IfVersion>
<IfVersion < 2.4.7>
Header set Strict-Transport-Security "max-age=15768000"
</IfVersion>
RequestHeader unset Proxy early
</IfModule>


Roundcube 1.6.5
ISPConfig Version: 3.3.1p1
Debian 12.14

 

The error is obviously because of the CSP set, why blame ISPConfig when it is your server that your admin need to configure and manage?

 

The problem is obviously CSP set, not ISPConfig. That is also your server, thus your admin need to configure and manage that, again, not ISPConfig.

 

Learn to read. noone was blaming nothing...