The Content-Security-Policy header must not be overridden

[sebbASF]

arrow-site/.htaccess

Line 31 in 0a7594a

Header set Content-Security-Policy "default-src 'self' data: blob: 'unsafe-inline' https://www.apachecon.com/ https://www.communityovercode.org/ https://analytics.apache.org/; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://analytics.apache.org/ https://www.apachecon.com/ https://*.kapa.ai/ https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ https://www.recaptcha.net/; script-src-elem 'self' 'unsafe-inline' https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://analytics.apache.org/ https://widget.kapa.ai/; style-src 'self' 'unsafe-inline' https://*.kapa.ai/ data:; frame-ancestors 'self'; frame-src 'self' data: blob: https://www.google.com/ https://www.recaptcha.net/; connect-src 'self' https://analytics.apache.org proxy.kapa.ai kapa-widget-proxy-la7.kapa.ai kapa-widget-proxy-la7dkmplpq-uc.a.run.app metrics.kapa.ai www.google.com recaptcha.net; img-src 'self' data: https://*.apache.org/ https://www.apachecon.com/ https://*.kapa.ai/ https://www.google.com https://*.gstatic.com/; worker-src 'self' data: blob:;"

The Content-Security-Policy header must not be overridden.

There is now a standard way to add local exceptions to the CSP:

https://infra.apache.org/tools/csp.html

Please update the .htaccess file accordingly.

[amoeba]

Thanks @sebbASF. @thisisnic are you able to take a look at this?

[thisisnic]

Thanks for the ping @amoeba, will take a look next week.

[sebbASF]

Please note that the policy says that any exceptions must have been approved, and a reference to the approval must be commented in the .htaccess file

[thisisnic]

Thanks for the info @sebbASF. I was wondering if you know of other projects which are using the kapa.ai bot which have needed to do the same, so I can compare to those and check if it looks right before I merge? Last time we updated the .htaccess file, it took a lot of rounds to get it right while trying not to take out the website for too long.

[sebbASF]

Which pages have the kapa.ai bot? I could not find any reference to it except in the htaccess CSP override.

Note that there are ways to test changes to the CSP without affecting the deployed site.
You could set up a preview site (define this in .asf.yaml).

Or the Attic project has a Docker definition that can apply any desired CSP to a remote website.
Details are in https://github.com/apache/attic/blob/main/DOCKER.md

The basic commands are:

$ docker compose build
(only needs to be done once, unless you change any files)

VAR_HOSTURL=https://beam.apache.org/ CSP_PROJECT_DOMAINS="host1 host2" docker compose up

Navigate to localhost:8000

If you enable browser debugging, you should be able to see if there are any CSP errors in the console log.

[pitrou]

@raulcd FYI