Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Improve default CSP headers #2575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
DL6ER merged 3 commits into from
Aug 3, 2025
Merged

Improve default CSP headers #2575

DL6ER merged 3 commits into from
Aug 3, 2025

Conversation

@DL6ER
Copy link
Member

@DL6ER DL6ER commented Jul 18, 2025
edited
Loading

What does this implement/fix?

This PR picks up where #2542 left. I imported the branch and checked everything is still working as expected. As usual, a second pair of eyes won't harm.

Most importantly:Modern CSP best practices recommend minimizing the use of unsafe-inline and only allowing it where strictly necessary (e.g., for styles). Accordingly, unsafe-inline is now only allowed for styles (because Chart.js needs it), no longer for scripts. This reduces the risk of cross-site scripting (XSS) attacks. As we have seen in the past, inline scripts are a common attack vector.

Other CSP parts:

  • style-src 'self' 'unsafe-inline': allows styles both from files and inline in the code/on the HTML pages.
  • img-src 'self' data: allows images from the same origin and embedded images via data URIs, but blocks external image sources, reducing exposure to malicious content. This is merely a precaution while we are adding more granular control, I don't think we have any external content right now.

A few other things, such as removing minimum-scale=1,user-scalable=yes is done as these two are their respective defaults, anyway.

Related issue or feature (if applicable): N/A

Pull request in docs with documentation (if applicable): N/A

By submitting this pull request, I confirm the following:

  1. I have read and understood the contributors guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
  2. I have commented my proposed changes within the code.
  3. I am willing to help maintain this change if there are issues with it later.
  4. It is compatible with the EUPL 1.2 license
  5. I have squashed any insignificant commits. (git rebase)

Checklist:

  • The code change is tested and works locally.
  • I based my code and PRs against the repositories development branch.
  • I signed off all commits. Pi-hole enforces the DCO for all contributions
  • I signed all my commits. Pi-hole requires signatures to verify authorship
  • I have read the above and my PR is ready for review.

XhmikosR and others added 3 commits July 13, 2025 07:28
Move inline JavaScript to pi-hole.js
a8368f9 
Also, minor tweaks

Signed-off-by: XhmikosR <[email protected]>
Remove 'unsafe-inline' from default-src
023f9f6 
It's only needed in `style-src` for chart.js. Also add `img-src data:` since
the API docs need it.

Signed-off-by: XhmikosR <[email protected]>
@DL6ER
Merge branch 'development' into xmr/csp
fc2464b 
Signed-off-by: DL6ER <[email protected]>
@DL6ER DL6ER requested a review from a team as a code owner July 18, 2025 09:17
@DL6ER DL6ER added the SECURITY label Jul 18, 2025
@yubiuser
Copy link
Member

yubiuser commented Jul 18, 2025

#2542 inclued a third commit. Why did you not port this as well?

@rdwebdesign
Copy link
Member

rdwebdesign commented Aug 2, 2025

@DL6ER

The 3rd commit mentioned above is https://github.com/pi-hole/FTL/pull/2542/commits/7377e08fe9b94c5d6d1379ca72666c560d563e8e and removes the request for the external font files.

The current CSP is already blocking the font request:

image

but there are errors:

image

What do you want to do?
Remove the font completely (using the code form the other commit), or fix the previous CSP and allow to load the external font?

@DL6ER
Copy link
Member Author

DL6ER commented Aug 2, 2025

The change is already here

image

@DL6ER DL6ER merged commit a2473ad into development Aug 3, 2025
17 checks passed
@DL6ER DL6ER deleted the xmr/csp branch August 3, 2025 06:14
@PromoFaux PromoFaux mentioned this pull request Oct 25, 2025
Merged
@Erasure5959 Erasure5959 mentioned this pull request Dec 8, 2025
Open
@pralor-bot
Copy link

pralor-bot commented Dec 8, 2025

This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/suggestions-for-content-security-policy-csp/83864/1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rdwebdesign rdwebdesign rdwebdesign approved these changes

Assignees

No one assigned

Labels

SECURITY

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@DL6ER @yubiuser @rdwebdesign @pralor-bot @XhmikosR