[Tickets #13976] Security Headers

noreply at bugs.horde.org noreply at bugs.horde.org
Fri May 1 10:08:07 UTC 2015 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: https://bugs.horde.org/ticket/13976
------------------------------------------------------------------------------
  Ticket             | 13976
  Created By         | o+horde at immerda.ch
  Summary            | Security Headers
  Queue              | Horde Groupware
  Version            | 5.2.6
  Type               | Enhancement
  State              | New
  Priority           | 1. Low
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


o+horde at immerda.ch (2015-05-01 10:08) wrote:

It has increasingly become good practice to set a number of security  
related http headers. We are currently maintaining our own set of  
headers for horde, but I think it would make sense to maintain them  
directly within horde and enable by default. Other projects (e.g.  
Owncloud) have also begun to do so.

In detail we propose to add the following headers:

1) X-FRAME-OPTIONS: SAMEORIGIN
-> sameorigin is needed for the attachment upload

2) X-Content-Type-Options: nosniff
-> no problems encountered

3) Content-Security-Policy: default-src 'self'; script-src  
'unsafe-eval' 'unsafe-inline' 'self'; object-src 'self'; style-src  
'unsafe-inline' 'self'; img-src data: 'self'; media-src 'self';  
frame-src 'self'; font-src 'self'; connect-src 'self';
-> this is fairly restrictive and might break things. E.g. for the imp  
"open html in separate window" function we have a different policy,  
basically lifting restrictions for img-src and style-src to allow  
external elements. I assume other parts of horde would need similar  
exceptions.
-> But CSP headers are really, really important and I would love to  
see them officially supported! E.g. we where not affected by the  
latest XSS in the html editor thanks to them.
-> at least frame, script, object and connect could probably be set  
without breaking anything.

If there is interest but no resources please tell me so, I might be  
able to provide a patch.

More information about the bugs mailing list