Harden default Content Security Policy (CSP)#2754
Merged
Merged
Conversation
Harden default Content Security Policy (CSP). Signed-off-by: Erasure5959 <154384607+Erasure5959@users.noreply.github.com>
Harden default Content Security Policy (CSP). Signed-off-by: Erasure5959 <154384607+Erasure5959@users.noreply.github.com>
Harden default Content Security Policy (CSP). Signed-off-by: Erasure5959 <154384607+Erasure5959@users.noreply.github.com>
Harden default Content Security Policy (CSP). Signed-off-by: Erasure5959 <154384607+Erasure5959@users.noreply.github.com>
DL6ER
requested changes
Dec 28, 2025
DL6ER
left a comment
Member
There was a problem hiding this comment.
I have not been able to test my proposed changes myself but I think that's how it should be
Fix syntax/encapsulation errors. Co-authored-by: Dominik <DL6ER@users.noreply.github.com> Signed-off-by: Erasure5959 <154384607+Erasure5959@users.noreply.github.com>
DL6ER
approved these changes
Dec 28, 2025
Member
|
Thank you for your submission! |
Merged
alfi0812
pushed a commit
to trueforge-org/truecharts
that referenced
this pull request
Feb 21, 2026
…1 → 2026.02.0 (#45320) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/pi-hole/pihole](https://redirect.github.com/pi-hole/docker-pi-hole) | major | `91dc91d` → `ee34852` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/18710) for more information. Add the preset `:preserveSemverRanges` to your config if you don't want to pin your dependencies. --- ### Release Notes <details> <summary>pi-hole/docker-pi-hole (ghcr.io/pi-hole/pihole)</summary> ### [`v2026.02.0`](https://redirect.github.com/pi-hole/docker-pi-hole/releases/tag/2026.02.0) [Compare Source](https://redirect.github.com/pi-hole/docker-pi-hole/compare/2025.11.1...2026.02.0) <!-- Release notes generated using configuration in .github/release.yml at master --> #### What's Changed (Docker Specific) - Pin base image by sha to catch silent rebuilds by [@​yubiuser](https://redirect.github.com/yubiuser) in [#​1965](https://redirect.github.com/pi-hole/docker-pi-hole/pull/1965) - Set fixed buildx version to mitigate issues with buildx version 0.31.1 by [@​yubiuser](https://redirect.github.com/yubiuser) in [#​1987](https://redirect.github.com/pi-hole/docker-pi-hole/pull/1987) **Full Changelog**: <pi-hole/docker-pi-hole@2025.11.1...2026.02.0> *** <!-- Release notes generated using configuration in .github/release.yml at development --> #### What's Changed (FTL v6.5) - Tweak undocumented wait-for option subtly by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2707](https://redirect.github.com/pi-hole/FTL/pull/2707) - update gravity - improve domain validation processing speed by [@​rrobgill](https://redirect.github.com/rrobgill) in [pi-hole/FTL#2710](https://redirect.github.com/pi-hole/FTL/pull/2710) - Update embedded SQLite3 to 3.51.1 by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2731](https://redirect.github.com/pi-hole/FTL/pull/2731) - Update embedded dnsmasq to 2.92rc1 by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2730](https://redirect.github.com/pi-hole/FTL/pull/2730) - Fix documentation - Do not use equal sign with `pihole-FTL --config` command by [@​rdwebdesign](https://redirect.github.com/rdwebdesign) in [pi-hole/FTL#2736](https://redirect.github.com/pi-hole/FTL/pull/2736) - Add dns.cache.rrtype by [@​Manakuremati](https://redirect.github.com/Manakuremati) in [pi-hole/FTL#2740](https://redirect.github.com/pi-hole/FTL/pull/2740) - Enhancements to the documentation markdown generator by [@​PromoFaux](https://redirect.github.com/PromoFaux) in [pi-hole/FTL#2741](https://redirect.github.com/pi-hole/FTL/pull/2741) - Network Overview - obtain MAC and hostname from dhcp.leases by [@​rrobgill](https://redirect.github.com/rrobgill) in [pi-hole/FTL#2727](https://redirect.github.com/pi-hole/FTL/pull/2727) - fix: make `get_domains` parameters optional by [@​tien](https://redirect.github.com/tien) in [pi-hole/FTL#2278](https://redirect.github.com/pi-hole/FTL/pull/2278) - Escape unprintable characters in invalid host names by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2601](https://redirect.github.com/pi-hole/FTL/pull/2601) - Implement better allOf handling in API verifier by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2745](https://redirect.github.com/pi-hole/FTL/pull/2745) - Update build containers to Alpine 3.23 by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2743](https://redirect.github.com/pi-hole/FTL/pull/2743) - Add option to hide network connection errors by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2749](https://redirect.github.com/pi-hole/FTL/pull/2749) - Harden default Content Security Policy (CSP) by [@​Erasure5959](https://redirect.github.com/Erasure5959) in [pi-hole/FTL#2754](https://redirect.github.com/pi-hole/FTL/pull/2754) - Fix computation of NTP server's root delay by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2760](https://redirect.github.com/pi-hole/FTL/pull/2760) - Teleporter: Fix for custom gravity.db path by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2758](https://redirect.github.com/pi-hole/FTL/pull/2758) - Upgrade embedded Lua to 5.5 by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2626](https://redirect.github.com/pi-hole/FTL/pull/2626) - Add missing \[forwarded] property in GET /api/history/database by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2750](https://redirect.github.com/pi-hole/FTL/pull/2750) - Update SQLite3 to 3.51.2 by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2761](https://redirect.github.com/pi-hole/FTL/pull/2761) - Low-memory hardware optimizations by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2757](https://redirect.github.com/pi-hole/FTL/pull/2757) - Reduce startup delay by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2725](https://redirect.github.com/pi-hole/FTL/pull/2725) - home.arpa and internal TLDs may be non-local without revServer by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2772](https://redirect.github.com/pi-hole/FTL/pull/2772) #### New Contributors - [@​Erasure5959](https://redirect.github.com/Erasure5959) made their first contribution in [pi-hole/FTL#2754](https://redirect.github.com/pi-hole/FTL/pull/2754) **Full Changelog**: <pi-hole/FTL@v6.4.1...v6.5> <!-- Release notes generated using configuration in .github/release.yml at development --> #### What's Changed (Web v6.4.1) - Set the end date for live query update to end of epoch by [@​rrobgill](https://redirect.github.com/rrobgill) in [pi-hole/web#3677](https://redirect.github.com/pi-hole/web/pull/3677) - Improve initial loading of Query Log by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/web#3715](https://redirect.github.com/pi-hole/web/pull/3715) Also fixes two security advisories: - <GHSA-6xp4-jw73-f4qp>: fixed with [pi-hole/web@`d328f14`](https://redirect.github.com/pi-hole/web/commit/d328f143718022d82dc94c8751121ca41be3b996) - <GHSA-8rw8-vjgp-rwj6>: fixed with [pi-hole/web@`1a0c6f4`](https://redirect.github.com/pi-hole/web/commit/1a0c6f4fe6d0116fd2846b2adaae95996b7f194d) **Full Changelog**: <pi-hole/web@v6.4...v6.4.1> <!-- Release notes generated using configuration in .github/release.yml at development --> #### What's Changed (Core v6.4) - Remove wget from alpine dependencies by [@​darkexplosiveqwx](https://redirect.github.com/darkexplosiveqwx) in [pi-hole/pi-hole#6484](https://redirect.github.com/pi-hole/pi-hole/pull/6484) - Remove custom FTL FirewallD zone checks from debug log by [@​rdwebdesign](https://redirect.github.com/rdwebdesign) in [pi-hole/pi-hole#6481](https://redirect.github.com/pi-hole/pi-hole/pull/6481) - Add Alpine 3.23 to test suite by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/pi-hole#6488](https://redirect.github.com/pi-hole/pi-hole/pull/6488) - Debug log - Add colors to gravity tables by [@​rdwebdesign](https://redirect.github.com/rdwebdesign) in [pi-hole/pi-hole#6485](https://redirect.github.com/pi-hole/pi-hole/pull/6485) - Use configured location for web repo when updating or repairing by [@​rrobgill](https://redirect.github.com/rrobgill) in [pi-hole/pi-hole#6470](https://redirect.github.com/pi-hole/pi-hole/pull/6470) - Add missing `-g` to the message in gravity recovery command by [@​rdwebdesign](https://redirect.github.com/rdwebdesign) in [pi-hole/pi-hole#6513](https://redirect.github.com/pi-hole/pi-hole/pull/6513) - Don't install unused /usr/local/share/man/man5 by [@​darkexplosiveqwx](https://redirect.github.com/darkexplosiveqwx) in [pi-hole/pi-hole#6526](https://redirect.github.com/pi-hole/pi-hole/pull/6526) **Full Changelog**: <pi-hole/pi-hole@v6.3...v6.4> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNi4xIiwidXBkYXRlZEluVmVyIjoiNDMuMjkuMiIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJhcHAvcGlob2xlIiwicmVub3ZhdGUvY29udGFpbmVyIiwidHlwZS9tYWpvciJdfQ==-->
github-actions Bot
pushed a commit
to bigbeartechworld/big-bear-universal-apps
that referenced
this pull request
Feb 26, 2026
…ag to v2026 This PR contains the following updates: | Package | Update | Change | |---|---|---| | [bigbeartechworld/big-bear-pihole-unbound](https://redirect.github.com/pi-hole/docker-pi-hole) | major | `2025.11.1` → `2026.02.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/17) for more information. --- ### Release Notes <details> <summary>pi-hole/docker-pi-hole (bigbeartechworld/big-bear-pihole-unbound)</summary> ### [`v2026.02.0`](https://redirect.github.com/pi-hole/docker-pi-hole/releases/tag/2026.02.0) [Compare Source](https://redirect.github.com/pi-hole/docker-pi-hole/compare/2025.11.1...2026.02.0) <!-- Release notes generated using configuration in .github/release.yml at master --> #### What's Changed (Docker Specific) - Pin base image by sha to catch silent rebuilds by [@​yubiuser](https://redirect.github.com/yubiuser) in [#​1965](https://redirect.github.com/pi-hole/docker-pi-hole/pull/1965) - Set fixed buildx version to mitigate issues with buildx version 0.31.1 by [@​yubiuser](https://redirect.github.com/yubiuser) in [#​1987](https://redirect.github.com/pi-hole/docker-pi-hole/pull/1987) **Full Changelog**: <pi-hole/docker-pi-hole@2025.11.1...2026.02.0> *** <!-- Release notes generated using configuration in .github/release.yml at development --> #### What's Changed (FTL v6.5) - Tweak undocumented wait-for option subtly by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2707](https://redirect.github.com/pi-hole/FTL/pull/2707) - update gravity - improve domain validation processing speed by [@​rrobgill](https://redirect.github.com/rrobgill) in [pi-hole/FTL#2710](https://redirect.github.com/pi-hole/FTL/pull/2710) - Update embedded SQLite3 to 3.51.1 by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2731](https://redirect.github.com/pi-hole/FTL/pull/2731) - Update embedded dnsmasq to 2.92rc1 by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2730](https://redirect.github.com/pi-hole/FTL/pull/2730) - Fix documentation - Do not use equal sign with `pihole-FTL --config` command by [@​rdwebdesign](https://redirect.github.com/rdwebdesign) in [pi-hole/FTL#2736](https://redirect.github.com/pi-hole/FTL/pull/2736) - Add dns.cache.rrtype by [@​Manakuremati](https://redirect.github.com/Manakuremati) in [pi-hole/FTL#2740](https://redirect.github.com/pi-hole/FTL/pull/2740) - Enhancements to the documentation markdown generator by [@​PromoFaux](https://redirect.github.com/PromoFaux) in [pi-hole/FTL#2741](https://redirect.github.com/pi-hole/FTL/pull/2741) - Network Overview - obtain MAC and hostname from dhcp.leases by [@​rrobgill](https://redirect.github.com/rrobgill) in [pi-hole/FTL#2727](https://redirect.github.com/pi-hole/FTL/pull/2727) - fix: make `get_domains` parameters optional by [@​tien](https://redirect.github.com/tien) in [pi-hole/FTL#2278](https://redirect.github.com/pi-hole/FTL/pull/2278) - Escape unprintable characters in invalid host names by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2601](https://redirect.github.com/pi-hole/FTL/pull/2601) - Implement better allOf handling in API verifier by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2745](https://redirect.github.com/pi-hole/FTL/pull/2745) - Update build containers to Alpine 3.23 by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2743](https://redirect.github.com/pi-hole/FTL/pull/2743) - Add option to hide network connection errors by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2749](https://redirect.github.com/pi-hole/FTL/pull/2749) - Harden default Content Security Policy (CSP) by [@​Erasure5959](https://redirect.github.com/Erasure5959) in [pi-hole/FTL#2754](https://redirect.github.com/pi-hole/FTL/pull/2754) - Fix computation of NTP server's root delay by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2760](https://redirect.github.com/pi-hole/FTL/pull/2760) - Teleporter: Fix for custom gravity.db path by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2758](https://redirect.github.com/pi-hole/FTL/pull/2758) - Upgrade embedded Lua to 5.5 by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2626](https://redirect.github.com/pi-hole/FTL/pull/2626) - Add missing \[forwarded] property in GET /api/history/database by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2750](https://redirect.github.com/pi-hole/FTL/pull/2750) - Update SQLite3 to 3.51.2 by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2761](https://redirect.github.com/pi-hole/FTL/pull/2761) - Low-memory hardware optimizations by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2757](https://redirect.github.com/pi-hole/FTL/pull/2757) - Reduce startup delay by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2725](https://redirect.github.com/pi-hole/FTL/pull/2725) - home.arpa and internal TLDs may be non-local without revServer by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2772](https://redirect.github.com/pi-hole/FTL/pull/2772) #### New Contributors - [@​Erasure5959](https://redirect.github.com/Erasure5959) made their first contribution in [pi-hole/FTL#2754](https://redirect.github.com/pi-hole/FTL/pull/2754) **Full Changelog**: <pi-hole/FTL@v6.4.1...v6.5> <!-- Release notes generated using configuration in .github/release.yml at development --> #### What's Changed (Web v6.4.1) - Set the end date for live query update to end of epoch by [@​rrobgill](https://redirect.github.com/rrobgill) in [pi-hole/web#3677](https://redirect.github.com/pi-hole/web/pull/3677) - Improve initial loading of Query Log by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/web#3715](https://redirect.github.com/pi-hole/web/pull/3715) Also fixes two security advisories: - <GHSA-6xp4-jw73-f4qp>: fixed with [pi-hole/web@`d328f14`](https://redirect.github.com/pi-hole/web/commit/d328f143718022d82dc94c8751121ca41be3b996) - <GHSA-8rw8-vjgp-rwj6>: fixed with [pi-hole/web@`1a0c6f4`](https://redirect.github.com/pi-hole/web/commit/1a0c6f4fe6d0116fd2846b2adaae95996b7f194d) **Full Changelog**: <pi-hole/web@v6.4...v6.4.1> <!-- Release notes generated using configuration in .github/release.yml at development --> #### What's Changed (Core v6.4) - Remove wget from alpine dependencies by [@​darkexplosiveqwx](https://redirect.github.com/darkexplosiveqwx) in [pi-hole/pi-hole#6484](https://redirect.github.com/pi-hole/pi-hole/pull/6484) - Remove custom FTL FirewallD zone checks from debug log by [@​rdwebdesign](https://redirect.github.com/rdwebdesign) in [pi-hole/pi-hole#6481](https://redirect.github.com/pi-hole/pi-hole/pull/6481) - Add Alpine 3.23 to test suite by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/pi-hole#6488](https://redirect.github.com/pi-hole/pi-hole/pull/6488) - Debug log - Add colors to gravity tables by [@​rdwebdesign](https://redirect.github.com/rdwebdesign) in [pi-hole/pi-hole#6485](https://redirect.github.com/pi-hole/pi-hole/pull/6485) - Use configured location for web repo when updating or repairing by [@​rrobgill](https://redirect.github.com/rrobgill) in [pi-hole/pi-hole#6470](https://redirect.github.com/pi-hole/pi-hole/pull/6470) - Add missing `-g` to the message in gravity recovery command by [@​rdwebdesign](https://redirect.github.com/rdwebdesign) in [pi-hole/pi-hole#6513](https://redirect.github.com/pi-hole/pi-hole/pull/6513) - Don't install unused /usr/local/share/man/man5 by [@​darkexplosiveqwx](https://redirect.github.com/darkexplosiveqwx) in [pi-hole/pi-hole#6526](https://redirect.github.com/pi-hole/pi-hole/pull/6526) **Full Changelog**: <pi-hole/pi-hole@v6.3...v6.4> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/bigbeartechworld/big-bear-universal-apps). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zNi4yIiwidXBkYXRlZEluVmVyIjoiNDMuMzYuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwicmVub3ZhdGUiXX0=-->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Thank you for your contribution to the Pi-hole Community!
Please read the comments below to help us consider your Pull Request.
We are all volunteers and completing the process outlined will help us review your commits quicker.
Please make sure you
What does this PR aim to accomplish?:
This PR aims to harden the Content Security Policy (CSP) which ships with Pi-hole by setting the default source to none and explicitly allowing certain directives to be loaded. This is essentially a block-by-default approach.
Relevant GitHub discussion: #2734 (comment)
How does this PR accomplish the above?:
This PR hardens the Content Security Policy (CSP) by setting the default source to none. The current CSP scans as below:
The suggested CSP shows as below from the same scanner:
Link documentation PRs if any are needed to support this PR:
pi-hole/docs#1332
By submitting this pull request, I confirm the following:
git rebase)