Improve CSP config (#1377)

* Remove `'unsafe-eval'`; this was needed in the past for Chart.js. * Remove `https://api.github.com` since we don't make any requests to this domain client-side * Specify more directives which are not inherited by `default-src` Signed-off-by: XhmikosR <xhmikosr@gmail.com>
2026-04-25 19:29:20 +01:00 · 2020-06-04 17:40:39 +03:00
parent cd99d3385a
commit a9cee0039a
1 changed files with 1 additions and 1 deletions
--- a/scripts/pi-hole/php/header.php
+++ b/scripts/pi-hole/php/header.php
@@ -162,7 +162,7 @@
 <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self' https://api.github.com; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; base-uri 'none'; child-src 'self'; form-action 'self'; frame-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'">
    <!-- Usually browsers proactively perform domain name resolution on links that the user may choose to follow. We disable DNS prefetching here -->
    <meta http-equiv="x-dns-prefetch-control" content="off">
    <meta http-equiv="cache-control" content="max-age=60,private">