Posted by A few days ago, one of our clients requested to enable Content-Security-Policy (CSP) on their email server. So, this is what I do
zmprov mcf +zimbraResponseHeader "Content-Security-Policy: default-src https: 'self' 'unsafe-inline'; script-src https: 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; img-src 'self' data:"
This configuration has been tested on Zimbra 10 and has worked well so far. Below are the conditions before and after implementing CSP
Before
After
Good luck 🙂
Hello, I added the headers indicated here and it worked. Thank you. but I just have one question, I have permissions-police in red. How do I solve this? thanks, again
Hello,
I also get red on permission-police. “Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser.”
Dear Imanudin
Thanks for your help. After deploying this, CSP shows green but they give a warning like below
“This policy contains ‘unsafe-inline’ which is dangerous in the default-src directive. This policy contains ‘unsafe-inline’ which is dangerous in the script-src directive. This policy contains ‘unsafe-eval’ which is dangerous in the script-src directive.”
how can I overcome from this…?
Hello,
You can remove that line from the command. However, maybe your webmail will not work properly
Dear Sir,
Kindly guide me to remove CSP from zimbra 8.8.15
Thanks & Regards,
Robert
Hi Robert Anthony,
You can change + with – in this command