arrow-site icon indicating copy to clipboard operation
arrow-site copied to clipboard

Published 20 hours ago verified publisher icon apache

[Website] Fix Content-Security-Policy header configuration

Open thisisnic opened this issue 1 month ago • 4 comments

Switches from directly setting the Content-Security-Policy header to using Apache Infra's recommended SetEnv CSP_PROJECT_DOMAINS approach. This resolves issue #723 by adding CSP exceptions rather than overriding the entire header.

Approval: https://issues.apache.org/jira/browse/INFRA-26638

We should test this when we merge it in case it breaks anything, as per previous updates with this.

thisisnic avatar Oct 29 '25 08:10 thisisnic

Preview URL: https://thisisnic.github.io/arrow-site

If the preview URL doesn't work, you may forget to configure your fork repository for preview. See https://github.com/apache/arrow-site/blob/main/README.md#forks how to configure.

github-actions[bot] avatar Oct 29 '25 08:10 github-actions[bot]

There is no need to add https://proxy.kapa.ai/ etc as they are included in https://*.kapa.ai/ communityovercode is in the default setting, so no need for that either.

Also, INFRA-26638 only relates to kapa.ai; you need to get approval before adding any other exceptions.

sebbASF avatar Oct 29 '25 08:10 sebbASF

Thanks @sebbASF - where can I find out which ones are included as the default so I can check the others?

thisisnic avatar Oct 29 '25 11:10 thisisnic

The default is currently:

default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://www.apachecon.com/ https://www.communityovercode.org/ https://.apache.org/ https://apache.org/ https://.scarf.sh/ ;

script-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://www.apachecon.com/ https://www.communityovercode.org/ https://.apache.org/ https://apache.org/ https://.scarf.sh/ ;

style-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://www.apachecon.com/ https://www.communityovercode.org/ https://.apache.org/ https://apache.org/ https://.scarf.sh/ ;

frame-ancestors 'self';

frame-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://www.apachecon.com/ https://www.communityovercode.org/ https://.apache.org/ https://apache.org/ https://.scarf.sh/ ;

worker-src 'self' data: blob:;

[I've added extra line-breaks to make it clearer]

I don't think this is documented anywhere (yet), but can be found by checking any site that does not use an override. For example whimsy.a.o

$ curl -fsSIL https://whimsy.apache.org | grep -i 'policy'

sebbASF avatar Oct 29 '25 11:10 sebbASF