infrastructure-website icon indicating copy to clipboard operation
infrastructure-website copied to clipboard

Published 20 hours ago verified publisher icon apache

CSP tool should base changes on existing site settings as a default, not infra.projects.org

Open sebbASF opened this issue 8 months ago • 2 comments

This would allow for cumulative changes, instead of having to start again.

However it would also be useful to show differences from the standard, and to base changes on that, in case the project needs to start again.

sebbASF avatar Mar 19 '25 17:03 sebbASF

We don't generally allow CORS on the CDN, so you can't do cross-origin tests, and even when you can, you have to expose the CSP policy header for that hostname as well, hence why it does a local fetch. This isn't meant to be an exhaustive tool, I'm sure you can find a CSP tool like ModHeader that suits you.

Humbedooh avatar Mar 19 '25 17:03 Humbedooh

AFAICT, we do allow CORS [1] on hosts served by the tlp-server:

$ curl -sSIL https://infra.apache.org
HTTP/2 200 
server: Apache
last-modified: Thu, 27 Feb 2025 19:43:43 GMT
etag: "3ec6-62f24e85582e8"
access-control-allow-origin: *
...

Also, in my local testing, I used the pelican local testing server, which does not support CSP headers (AFAICT), so I changed the fetch to reference https://infra.apache.org/?csp-${rnd}. This worked fine. But maybe I am missing something here?

[1] https://issues.apache.org/jira/browse/INFRA-19739

sebbASF avatar Mar 20 '25 14:03 sebbASF