Skip to content

Harden default Content Security Policy (CSP) #2754

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
DL6ER merged 5 commits into from
Dec 28, 2025
Merged

Harden default Content Security Policy (CSP) #2754

DL6ER merged 5 commits into from
Dec 28, 2025

Conversation

@Erasure5959
Copy link

@Erasure5959 Erasure5959 commented Dec 28, 2025

Thank you for your contribution to the Pi-hole Community!

Please read the comments below to help us consider your Pull Request.

We are all volunteers and completing the process outlined will help us review your commits quicker.

Please make sure you

  1. Base your code and PRs against the repositories developmental branch.
  2. Sign Off all commits as we enforce the DCO for all contributions
  3. Sign all your commits as they must have verified signatures
  4. File a pull request for any change that requires changes to our documentation at our documentation repo

What does this PR aim to accomplish?:

This PR aims to harden the Content Security Policy (CSP) which ships with Pi-hole by setting the default source to none and explicitly allowing certain directives to be loaded. This is essentially a block-by-default approach.

Relevant GitHub discussion: #2734 (comment)

How does this PR accomplish the above?:

This PR hardens the Content Security Policy (CSP) by setting the default source to none. The current CSP scans as below:

image

The suggested CSP shows as below from the same scanner:

image

Link documentation PRs if any are needed to support this PR:

pi-hole/docs#1332

By submitting this pull request, I confirm the following:

  1. I have read and understood the contributors guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
  2. I have commented my proposed changes within the code and I have tested my changes.
  3. I am willing to help maintain this change if there are issues with it later.
  4. It is compatible with the EUPL 1.2 license
  5. I have squashed any insignificant commits. (git rebase)
  6. I have checked that another pull request for this purpose does not exist.
  7. I have considered, and confirmed that this submission will be valuable to others.
  8. I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
  9. I give this submission freely, and claim no ownership to its content.
  • I have read the above and my PR is ready for review. Check this box to confirm

@Erasure5959
Update config.yaml - modify CSP
c4c9adf 
Harden default Content Security Policy (CSP).

Signed-off-by: Erasure5959 <[email protected]>
@Erasure5959
Update pihole.toml - modify CSP
480a7ba 
Harden default Content Security Policy (CSP).

Signed-off-by: Erasure5959 <[email protected]>
@Erasure5959
Update test_suite.bats - modify CSP
59dfeee 
Harden default Content Security Policy (CSP).

Signed-off-by: Erasure5959 <[email protected]>
@Erasure5959
Update config.c - modify CSP
b2cefdb 
Harden default Content Security Policy (CSP).

Signed-off-by: Erasure5959 <[email protected]>
@Erasure5959 Erasure5959 requested a review from a team as a code owner December 28, 2025 10:36
DL6ER
DL6ER requested changes Dec 28, 2025
View reviewed changes
Copy link
Member

@DL6ER DL6ER left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have not been able to test my proposed changes myself but I think that's how it should be

@Erasure5959 @DL6ER
Update test/test_suite.bats
cd8dbe5 
Fix syntax/encapsulation errors.

Co-authored-by: Dominik <[email protected]>
Signed-off-by: Erasure5959 <[email protected]>
@Erasure5959 Erasure5959 requested a review from DL6ER December 28, 2025 12:43
@DL6ER
Copy link
Member

DL6ER commented Dec 28, 2025

Thank you for your submission!

@DL6ER DL6ER merged commit 567db20 into pi-hole:development Dec 28, 2025
13 checks passed
@Erasure5959 Erasure5959 deleted the development branch December 28, 2025 20:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DL6ER DL6ER DL6ER approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Erasure5959 @DL6ER