Posted by A few days ago, one of our clients requested to enable Content-Security-Policy (CSP) on their email server. So, this is what I do
zmprov mcf +zimbraResponseHeader "Content-Security-Policy: default-src https: 'self' 'unsafe-inline'; script-src https: 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; img-src 'self' data:"
This configuration has been tested on Zimbra 10 and has worked well so far. Below are the conditions before and after implementing CSP
Before
After
Good luck 🙂
Hello, I added the headers indicated here and it worked. Thank you. but I just have one question, I have permissions-police in red. How do I solve this? thanks, again
Hello,
I also get red on permission-police. “Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser.”
Dear Imanudin
Thanks for your help. After deploying this, CSP shows green but they give a warning like below
“This policy contains ‘unsafe-inline’ which is dangerous in the default-src directive. This policy contains ‘unsafe-inline’ which is dangerous in the script-src directive. This policy contains ‘unsafe-eval’ which is dangerous in the script-src directive.”
how can I overcome from this…?
Hello,
You can remove that line from the command. However, maybe your webmail will not work properly