Remove 'unsafe-inline' from default-src
#2542
Conversation
src/config/config.c
Outdated
|
|
||
| conf->webserver.headers.k = "webserver.headers"; | ||
| conf->webserver.headers.h = "Additional HTTP headers added to the web server responses.\n The headers are added to all responses, including those for the API.\n Note about the default additional headers:\n - X-DNS-Prefetch-Control: off: Usually browsers proactively perform domain name resolution on links that the user may choose to follow. We disable DNS prefetching here.\n - Content-Security-Policy: [...] 'unsafe-inline' is both required by Chart.js styling some elements directly, and index.html containing some inlined Javascript code.\n - X-Frame-Options: DENY: The page can not be displayed in a frame, regardless of the site attempting to do so.\n - X-Xss-Protection: 0: Disables XSS filtering in browsers that support it. This header is usually enabled by default in browsers, and is not recommended as it can hurt the security of the site. (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).\n - X-Content-Type-Options: nosniff: Marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing. Site security testers usually expect this header to be set.\n - Referrer-Policy: strict-origin-when-cross-origin: A referrer will be sent for same-site origins, but cross-origin requests will send no referrer information.\n The latter four headers are set as expected by https://securityheaders.io"; | ||
| conf->webserver.headers.h = "Additional HTTP headers added to the web server responses.\n The headers are added to all responses, including those for the API.\n Note about the default additional headers:\n - X-DNS-Prefetch-Control: off: Usually browsers proactively perform domain name resolution on links that the user may choose to follow. We disable DNS prefetching here.\n - Content-Security-Policy: [...] 'unsafe-inline' is required by Chart.js for styling some elements directly.\n - X-Frame-Options: DENY: The page can not be displayed in a frame, regardless of the site attempting to do so.\n - X-Xss-Protection: 0: Disables XSS filtering in browsers that support it. This header is usually enabled by default in browsers, and is not recommended as it can hurt the security of the site. (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).\n - X-Content-Type-Options: nosniff: Marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing. Site security testers usually expect this header to be set.\n - Referrer-Policy: strict-origin-when-cross-origin: A referrer will be sent for same-site origins, but cross-origin requests will send no referrer information.\n The latter four headers are set as expected by https://securityheaders.io"; |
There was a problem hiding this comment.
Tests will fail unless the text is updated here to match
Lines 693 to 695 in 1ae3d2f
|
I have already updated that to match the new text, but tests haven't run to
check.
…On Sun, Jun 29, 2025 at 6:36 AM Rob Gill ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In src/config/config.c
<#2542 (comment)>:
> @@ -1028,13 +1028,13 @@ static void initConfig(struct config *conf)
conf->webserver.threads.c = validate_stub; // Only type-based checking
conf->webserver.headers.k = "webserver.headers";
- conf->webserver.headers.h = "Additional HTTP headers added to the web server responses.\n The headers are added to all responses, including those for the API.\n Note about the default additional headers:\n - X-DNS-Prefetch-Control: off: Usually browsers proactively perform domain name resolution on links that the user may choose to follow. We disable DNS prefetching here.\n - Content-Security-Policy: [...] 'unsafe-inline' is both required by Chart.js styling some elements directly, and index.html containing some inlined Javascript code.\n - X-Frame-Options: DENY: The page can not be displayed in a frame, regardless of the site attempting to do so.\n - X-Xss-Protection: 0: Disables XSS filtering in browsers that support it. This header is usually enabled by default in browsers, and is not recommended as it can hurt the security of the site. (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).\n - X-Content-Type-Options: nosniff: Marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing. Site security testers usually expect this header to be set.\n - Referrer-Policy: strict-origin-when-cross-origin: A referrer will be sent for same-site origins, but cross-origin requests will send no referrer information.\n The latter four headers are set as expected by https://securityheaders.io";
+ conf->webserver.headers.h = "Additional HTTP headers added to the web server responses.\n The headers are added to all responses, including those for the API.\n Note about the default additional headers:\n - X-DNS-Prefetch-Control: off: Usually browsers proactively perform domain name resolution on links that the user may choose to follow. We disable DNS prefetching here.\n - Content-Security-Policy: [...] 'unsafe-inline' is required by Chart.js for styling some elements directly.\n - X-Frame-Options: DENY: The page can not be displayed in a frame, regardless of the site attempting to do so.\n - X-Xss-Protection: 0: Disables XSS filtering in browsers that support it. This header is usually enabled by default in browsers, and is not recommended as it can hurt the security of the site. (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).\n - X-Content-Type-Options: nosniff: Marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing. Site security testers usually expect this header to be set.\n - Referrer-Policy: strict-origin-when-cross-origin: A referrer will be sent for same-site origins, but cross-origin requests will send no referrer information.\n The latter four headers are set as expected by https://securityheaders.io";
Tests will fail unless the text is updated here to match
https://github.com/pi-hole/FTL/blob/1ae3d2f21eca83108801e4467c106214c8f971ad/test/pihole.toml#L693-L695
—
Reply to this email directly, view it on GitHub
<#2542 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACVLNPSB4WPCDUARRTF5NT3F5NMNAVCNFSM6AAAAACALGSALCVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDSNRZGA3DSOJYHA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
Tests running now |
|
Now it seems to be OK, CI is failing in "Display structure of downloaded files" and other places which looks like it's unrelated to my changes? |
|
Regardless, before landing this please everyone test if things are fine on web. I tested it and it looks like it. Only chart.js needs unsafe inline for styling, so this is a good hardening measure since we are getting rid of the ability to run random JavaScript code. |
|
Note that if we hit any issues say for example with images, we could explicitly specify I'm still using this CSP and haven't noticed any issues so far, but the more eyes the better. |
Is it our |
|
No, you can't drop it. It's how it works AFAICT.
…On Mon, Jun 30, 2025, 21:52 yubiuser ***@***.***> wrote:
*yubiuser* left a comment (pi-hole/FTL#2542)
<#2542 (comment)>
Only chart.js needs unsafe inline for styling
Is it our chart.js or the vendor supplied file? If the former, can we
change the code to drop the unsafe-line completely?
—
Reply to this email directly, view it on GitHub
<#2542 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACVLNOSL7NQK72MAKSSPVL3GGBPFAVCNFSM6AAAAACALGSALCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTAMRQGM2DOMZSGQ>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
The vendor code does it.
…On Mon, Jun 30, 2025, 21:53 XhmikosR ***@***.***> wrote:
No, you can't drop it. It's how it works AFAICT.
On Mon, Jun 30, 2025, 21:52 yubiuser ***@***.***> wrote:
> *yubiuser* left a comment (pi-hole/FTL#2542)
> <#2542 (comment)>
>
> Only chart.js needs unsafe inline for styling
>
> Is it our chart.js or the vendor supplied file? If the former, can we
> change the code to drop the unsafe-line completely?
>
> —
> Reply to this email directly, view it on GitHub
> <#2542 (comment)>, or
> unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AACVLNOSL7NQK72MAKSSPVL3GGBPFAVCNFSM6AAAAACALGSALCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTAMRQGM2DOMZSGQ>
> .
> You are receiving this because you authored the thread.Message ID:
> ***@***.***>
>
|
|
I had a closer look and I think we could drop But the biggest gain is from this change essentially not allowing unsafe-inline for script-src. |
This option has been added for Chart.js v2.9 (chartjs/Chart.js#6048). We are currently using v4.5 and I can confirm that However, we do get many
on http://pihole/api/docs and the page is overall broken. The failing CI tests should be resolves once #2543 has been merged and the PR being rebased on latest |
|
Yeah, that's why I suggest my current patch for now. If/when we have time later we could look into dropping unsafe-inline from style-src too. |
Oh, missed this. I thought the CSP affected only the web. Not sure I have the bandwidth to check the API docs myself. But ideally they shouldn't use the same CSP as the Web. |
It is the same webserver. Unfortunately, CivetWeb does not support different headers for different directories. |
|
How can I debug the API docs? From a quick look it's those |
|
|
||
| docEl.addEventListener('after-try', (event) => { | ||
| console.log(event.detail.response); | ||
| if(event.detail.response.status === 401) { |
There was a problem hiding this comment.
Unrelated to this patch, but should be addressed later, this throws an error if there's a network error. We should add a try/catch here.
| <div> | ||
| <button onclick="document.getElementById('thedoc').setAttribute('theme', 'dark')" class="btn">Dark Theme</button> | ||
| <button onclick="document.getElementById('thedoc').setAttribute('theme', 'light')" class="btn">Light Theme</button> | ||
| <button type="button" class="btn" id="darkThemeBtn">Dark Theme</button> |
There was a problem hiding this comment.
These changes are not related to the inline JS move, but the default button type is submit.
|
It's a PITA to handle the API docs CSP along with the Web CSP, but since we can't have a separate CSP... I tried my best from my limited testing since I don't have a binary from this branch to try and I could only test by specifying the header on the Web. I could split the second patch since it can go alone if you guys prefer. And then we can test the API docs further. |
|
I split the JS changes to #2559 so that we land that without changing the CSP first. Then I will rebase this PR and see if there are any further issues but since I don't have a binary I can only test with the Web Header. |
... then build it? ;) There is a devcontainer on FTL repo so you don't need any special tools to build it. Open in devcontainer and |
We upload all the binaries build during the CI/CD process. For this PR and the current run the binaries are at |
|
Perfect, thanks. I was waiting for the CI. I've split the JS changes to a separate PR (#2559) if you prefer which we can land independently. Feel free to test it further you guys too. |
|
Note that this fixes 2 CSP violations on the API docs:
The web interface seems to behave the same, but the more eyes the better. This PR alone will tighten things security-wise, and fix almost all console errors on the API page. The remaining one is fixed by #2557 . |
|
Actually, I notice now that rapidoc has an option to not load the fonts from the CDN. Perhaps we should specify this and drop the CSP whitelist since we don't need it on the Web? EDIT: I added a second patch. I suggest that we first land #2559, then I rebase and squash any patches here if we decide to go with no font approach, otherwise I'll drop the patch. |
Also, minor tweaks Signed-off-by: XhmikosR <[email protected]>
It's only needed in style-src for chart.js. Also add `font-src https://fonts.gstatic.com` and img-src data: since the API docs need it. Signed-off-by: XhmikosR <[email protected]>
Signed-off-by: XhmikosR <[email protected]>
5 participants
It's only needed in style-src for chart.js
Thank you for your contribution to the Pi-hole Community!
Please read the comments below to help us consider your Pull Request.
We are all volunteers and completing the process outlined will help us review your commits quicker.
Please make sure you
What does this PR aim to accomplish?:
How does this PR accomplish the above?:
Link documentation PRs if any are needed to support this PR:
By submitting this pull request, I confirm the following:
git rebase)