From 2048df04b79c9af07287d99ee7d627dd32d9849c Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 8 Apr 2016 14:06:10 +0200 Subject: =?UTF-8?q?Move=20Gr=C3=A9goire's=20comment=20to=20the=20right=20t?= =?UTF-8?q?icket.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../comment_1_4156da3309262dc53fff06dbbbcbb30c._comment | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 tracker/CSP_too_strict/comment_1_4156da3309262dc53fff06dbbbcbb30c._comment (limited to 'tracker/CSP_too_strict') diff --git a/tracker/CSP_too_strict/comment_1_4156da3309262dc53fff06dbbbcbb30c._comment b/tracker/CSP_too_strict/comment_1_4156da3309262dc53fff06dbbbcbb30c._comment new file mode 100644 index 0000000..ce90b13 --- /dev/null +++ b/tracker/CSP_too_strict/comment_1_4156da3309262dc53fff06dbbbcbb30c._comment @@ -0,0 +1,10 @@ +[[!comment format=mdwn + username="Grégoire" + avatar="https://seccdn.libravatar.org/avatar/5ed039572e7af206cbc97a7c59dcb0ad" + subject="Still a problem with http urls" + date="2016-04-08T09:50:11Z" + content=""" +Now some of the images work but not all. According to Firefox' console, http URLs are upgraded to https which may not work all the time. + +I don't know if it is possible but a better way to do this may be to use roundcube as a proxy for images and other inline content? +"""]] -- cgit v1.2.3 From f6343eda1e951a5ea2b0e62f2ffc75fc825e8448 Mon Sep 17 00:00:00 2001 From: guilhem Date: Fri, 8 Apr 2016 14:14:46 +0200 Subject: Added a comment: Further weakened the Content-Security-Policy --- .../comment_2_01c8f3bc631f9ddecb109455233d6f09._comment | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 tracker/CSP_too_strict/comment_2_01c8f3bc631f9ddecb109455233d6f09._comment (limited to 'tracker/CSP_too_strict') diff --git a/tracker/CSP_too_strict/comment_2_01c8f3bc631f9ddecb109455233d6f09._comment b/tracker/CSP_too_strict/comment_2_01c8f3bc631f9ddecb109455233d6f09._comment new file mode 100644 index 0000000..c6df409 --- /dev/null +++ b/tracker/CSP_too_strict/comment_2_01c8f3bc631f9ddecb109455233d6f09._comment @@ -0,0 +1,8 @@ +[[!comment format=mdwn + username="guilhem" + avatar="https://seccdn.libravatar.org/avatar/86d6cb4bde1ef88730b14ccad0414c28" + subject="Further weakened the Content-Security-Policy" + date="2016-04-08T12:14:46Z" + content=""" +Alright, just [removed](https://git.fripost.org/fripost-ansible/commit/?id=e370313ad5895871479fffc922e3c72c0375dbf2) [`upgrade-insecure-requests`](https://www.w3.org/TR/upgrade-insecure-requests/#upgrade-insecure-requests) and [`block-all-mixed-content`](https://www.w3.org/TR/mixed-content/#block_all_mixed_content) from the CSP. Again, with the hope that Roundcube's built-in filter is tight enough by default… +"""]] -- cgit v1.2.3 From e44933421b356db9a49fe73be7ff661bb5bab364 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gr=C3=A9goire?= Date: Fri, 8 Apr 2016 15:30:16 +0200 Subject: Added a comment --- .../comment_3_d0893142a031072c638d1e36b17aefe3._comment | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 tracker/CSP_too_strict/comment_3_d0893142a031072c638d1e36b17aefe3._comment (limited to 'tracker/CSP_too_strict') diff --git a/tracker/CSP_too_strict/comment_3_d0893142a031072c638d1e36b17aefe3._comment b/tracker/CSP_too_strict/comment_3_d0893142a031072c638d1e36b17aefe3._comment new file mode 100644 index 0000000..3c53e3c --- /dev/null +++ b/tracker/CSP_too_strict/comment_3_d0893142a031072c638d1e36b17aefe3._comment @@ -0,0 +1,12 @@ +[[!comment format=mdwn + username="Grégoire" + avatar="https://seccdn.libravatar.org/avatar/5ed039572e7af206cbc97a7c59dcb0ad" + subject="comment 3" + date="2016-04-08T13:30:16Z" + content=""" +I understand your frustration... + +I found that someone openned an related issue agains Roundcube about this almost exactly 2 years ago: [Image proxy #5099](https://github.com/roundcube/roundcubemail/issues/5099). It doesn't seem to be considered high prirority and I can understand as it's probably not an easy thing to get right. + +An other interesting way to fix this would be to have at tool that inlines all the images in an email (turn the remote images into data urls) which you would run on all incomming messages (maybe using sieve?). The only problem is that it might considerably blow-up the size of your mailboxes but given the benefits, it might be worth a try. +"""]] -- cgit v1.2.3 From c62cbdde592f740cdc409ba9e59e49a7ddc5feca Mon Sep 17 00:00:00 2001 From: guilhem Date: Fri, 8 Apr 2016 15:39:39 +0200 Subject: Added a comment --- .../comment_4_b794220c7ed0f1b16daf3dd2970644d8._comment | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 tracker/CSP_too_strict/comment_4_b794220c7ed0f1b16daf3dd2970644d8._comment (limited to 'tracker/CSP_too_strict') diff --git a/tracker/CSP_too_strict/comment_4_b794220c7ed0f1b16daf3dd2970644d8._comment b/tracker/CSP_too_strict/comment_4_b794220c7ed0f1b16daf3dd2970644d8._comment new file mode 100644 index 0000000..144ef97 --- /dev/null +++ b/tracker/CSP_too_strict/comment_4_b794220c7ed0f1b16daf3dd2970644d8._comment @@ -0,0 +1,8 @@ +[[!comment format=mdwn + username="guilhem" + avatar="https://seccdn.libravatar.org/avatar/86d6cb4bde1ef88730b14ccad0414c28" + subject="comment 4" + date="2016-04-08T13:39:39Z" + content=""" +Would be nice to have such proxy, indeed. Beside the mailbox overhead, another downside of the sieve hack is that this would invalidate all integrity checking such as DKIM or OpenPGP. +"""]] -- cgit v1.2.3