The Content-Security-Policy header must not be overridden

[sebbASF]

https://github.com/apache/dubbo-website/blob/78c1b68d80ebb7d8571f4d5a390b8ccb82cce46f/.htaccess#L10

The Content-Security-Policy header must not be overridden.

There is now a standard way to add local exceptions to the CSP:

https://infra.apache.org/tools/csp.html

You need to get approval before adding any domains. Also please document such approval in the .htaccess file.

The following are already included in the default:

https://www.apachecon.com/
https://www.communityovercode.org/
https://*.apache.org/
https://apache.org/
https://*.scarf.sh/