starred/whoogle-search
1
0
Fork 0
mirror of https://github.com/benbusby/whoogle-search.git synced 2026-04-25 20:25:51 +03:00
Code Issues 9 Projects Releases Packages Wiki Activity

[GH-ISSUE #218] [FEATURE] Send Content Security Policy (CSP) Header #151

New issue
Closed
opened 2026-02-25 20:35:02 +03:00 by kerem · 1 comment
kerem commented 2026-02-25 20:35:02 +03:00
Owner
Copy link

Originally created by @pred2k on GitHub (Mar 7, 2021).
Original GitHub issue: https://github.com/benbusby/whoogle-search/issues/218

Describe the feature you'd like to see added
To prevent any accidental connection (ip leaks) to google or others, whoogle should send a strong CSP Header.

I use the following in my reverse proxy without breaking functionality in FireFox 86.
Inline scripts ("script-src") and images
data:image/png;base64,iVBORw0KGgoAAAANSU… ("img-src")
are blocked, says the console

default-src 'none';
img-src 'self';
style-src 'self' 'unsafe-inline';
script-src 'self';
media-src 'self';
connect-src 'self';
form-action 'self';
upgrade-insecure-requests;

This would offer CSP to all kinds of deployments.

Additional context
https://en.wikipedia.org/wiki/Content_Security_Policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html

Originally created by @pred2k on GitHub (Mar 7, 2021). Original GitHub issue: https://github.com/benbusby/whoogle-search/issues/218 **Describe the feature you'd like to see added** To prevent any accidental connection (ip leaks) to google or others, whoogle should send a strong CSP Header. I use the following in my reverse proxy without breaking functionality in FireFox 86. Inline scripts ("script-src") and images data:image/png;base64,iVBORw0KGgoAAAANSU… ("img-src") are blocked, says the console ``` default-src 'none'; img-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; media-src 'self'; connect-src 'self'; form-action 'self'; upgrade-insecure-requests; ``` This would offer CSP to all kinds of deployments. **Additional context** https://en.wikipedia.org/wiki/Content_Security_Policy https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
kerem 2026-02-25 20:35:02 +03:00
kerem commented 2026-02-25 20:35:02 +03:00
Author
Owner
Copy link

@benbusby commented on GitHub (Mar 7, 2021):

Good thinking, thanks for the recommendation. Added in a1134e7633.

<!-- gh-comment-id:792334715 --> @benbusby commented on GitHub (Mar 7, 2021): Good thinking, thanks for the recommendation. Added in a1134e7633b05a3c686b89873ad249b131d46ccd.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/pip/python-dotenv-1.2.2
v1.2.4
v1.2.3
v1.2.2
v1.2.1-test
v1.1.2
v1.1.1-beta
v1.1.0
v1.1.0-beta
v1.0.0-beta
v0.9.4
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.4
v0.8.3
v0.8.2
v0.8.1
v0.8.0
v0.7.4
v0.7.3
v0.7.2
v0.7.1
v0.7.0
v0.6.0
v0.5.4
v0.5.3
v0.5.2
v0.5.1
v0.5.0
v0.4.1
v0.4.0
v0.3.2
v0.3.1
v0.3.0
v0.2.1
0.2.0
v0.1.4
v0.1.3
v0.1.2
v0.1.1
v0.1.0
v0.0.1
Labels
Clear labels   
Fixed (Pending PR Merge)

   
Stale

   
bug

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
keep-open

   
needs more info

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
theme

   
unfortunate
No labels
Fixed (Pending PR Merge)
Stale
bug
enhancement
enhancement
good first issue
help wanted
keep-open
needs more info
pull-request
question
theme
unfortunate
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/whoogle-search#151
No description provided.