| Summary | Security Headers |
| Queue | Horde Groupware |
| Queue Version | 5.2.6 |
| Type | Enhancement |
| State | Feedback |
| Priority | 1. Low |
| Owners | |
| Requester | o+horde (at) immerda (dot) ch |
| Created | 05/01/2015 (3666 days ago) |
| Due | |
| Updated | 01/22/2016 (3400 days ago) |
| Assigned | |
| Resolved | |
| Milestone | |
| Patch | No |
State ⇒ Feedback
See request #10391
State ⇒ New
Priority ⇒ 1. Low
Type ⇒ Enhancement
Summary ⇒ Security Headers
Queue ⇒ Horde Groupware
Milestone ⇒
Patch ⇒ No
related http headers. We are currently maintaining our own set of
headers for horde, but I think it would make sense to maintain them
directly within horde and enable by default. Other projects (e.g.
Owncloud) have also begun to do so.
In detail we propose to add the following headers:
1) X-FRAME-OPTIONS: SAMEORIGIN
-> sameorigin is needed for the attachment upload
2) X-Content-Type-Options: nosniff
-> no problems encountered
3) Content-Security-Policy: default-src 'self'; script-src
'unsafe-eval' 'unsafe-inline' 'self'; object-src 'self'; style-src
'unsafe-inline' 'self'; img-src data: 'self'; media-src 'self';
frame-src 'self'; font-src 'self'; connect-src 'self';
-> this is fairly restrictive and might break things. E.g. for the imp
"open html in separate window" function we have a different policy,
basically lifting restrictions for img-src and style-src to allow
external elements. I assume other parts of horde would need similar
exceptions.
-> But CSP headers are really, really important and I would love to
see them officially supported! E.g. we where not affected by the
latest XSS in the html editor thanks to them.
-> at least frame, script, object and connect could probably be set
without breaking anything.
If there is interest but no resources please tell me so, I might be
able to provide a patch.