Suggestions for Content Security Policy (CSP)

[Erasure5959]

Versions

• Pi-hole: 6.3
• Web: 6.4
• FTL: 6.4.1

Platform

• OS and version: Ubuntu 22.04

• Platform: Raspberry Pi

This is not a bug, but this seems to be the only option which will allow me to create an issue. Further to PR#2575 (#2575) I understand work is still ongoing regarding the CSP. I would like to share mine which I have worked on and have been running for a few months now.

My CSP is as follows in the .toml file:

"Content-Security-Policy: default-src 'none'; connect-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self'; manifest-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"

As mentioned above, I have been running this for a few months and without observed issues in the browser console. My settings are quite strict, but most scanners are happy with this (e.g. https://csp-evaluator.withgoogle.com/)

Feel free to close this if work is almost finalised or if my settings are of no use. Merely opening and posting in case it might help save some development time.

[rdwebdesign]

This is not a bug, but this seems to be the only option which will allow me to create an issue.

Actually, there are other options and you should click on the "Feature Request":

This will redirect you to our Discourse forum, where the feature requests should be opened: https://discourse.pi-hole.net/c/feature-requests/8

[DL6ER]

To avoid double-posting: Has a related Discourse discussion been created yet? I'd be fine with merging this into development and see if users are reporting issues with it. I am myself using it for a few days now and haven't observed any issues (as OP did as well).

edit @Erasure5959 Would you like to submit your own PR to FTL? On first glance, it seems a few places need adjustment:

• FTL/src/api/docs/content/specs/config.yaml

  Line 784 in 8d1add8

  - "Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;"

• FTL/test/pihole.toml

  Line 946 in 8d1add8

  "Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;",

• FTL/test/test_suite.bats

  Line 2330 in 8d1add8

  run bash -c 'grep -F "Webserver option 7/12: additional_header=X-DNS-Prefetch-Control: off\r\nContent-Security-Policy: default-src '"'self'"'; style-src '"'self'"' '"'unsafe-inline'"'; img-src '"'self'"' data:;\r\nX-Frame-Options: DENY\r\nX-XSS-Protection: 0\r\nX-Content-Type-Options: nosniff\r\nReferrer-Policy: strict-origin-when-cross-origin\r\n" /var/log/pihole/FTL.log'

• FTL/src/config/config.c

  Line 1066 in 8d1add8

  cJSON_AddItemToArray(conf->webserver.headers.d.json, cJSON_CreateStringReference("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;"));

But it is really only copy-pasting your changes to any of these places.

[Erasure5959]

@DL6ER I did create a Discourse discussion yes, found at https://discourse.pi-hole.net/t/suggestions-for-content-security-policy-csp/83864

I am happy to create a PR for this, will set aside time in the week to do it. Thanks for looking at this and the guidance!