tsfile icon indicating copy to clipboard operation
tsfile copied to clipboard
verified publisher icon apache

The Content-Security-Policy header must not be overridden

Open sebbASF opened this issue 1 month ago • 2 comments

https://github.com/apache/tsfile/blob/054e8a380e83be9aa804132cdbdce578185d7763/src/.vuepress/public/.htaccess#L9

The Content-Security-Policy header must not be overridden.

There is now a standard way to add local exceptions to the CSP:

https://infra.apache.org/tools/csp.html

You need to get approval before adding any domains. Also please document such approval in the .htaccess file.

The following are already included in the default:

https://www.apachecon.com/
https://www.communityovercode.org/
https://*.apache.org/
https://apache.org/
https://*.scarf.sh/

sebbASF avatar Oct 30 '25 17:10 sebbASF

So do these need to be applied for separately?

CSP permissions for foo.apache.org - Adding 3rd party service Algolia. Approved by VP Data Privacy.

SetEnv CSP_PROJECT_DOMAINS "https://.algolia.net/ https://.algolianet.com/ https://*.algolia.io/"

CritasWang avatar Oct 31 '25 03:10 CritasWang

The document says:

"Each additional host you add MUST have been pre-approved by VP Data Privacy ([email protected]), and SHOULD have an accompanying comment in the .htaccess file explaining why the CSP is changed and where permission was obtained."

sebbASF avatar Oct 31 '25 09:10 sebbASF