The Content-Security-Policy header must not be overridden

[sebbASF]

tsfile/src/.vuepress/public/.htaccess

Line 9 in 054e8a3

Header set Content-Security-Policy "default-src data: blob: 'self' *.apache.org *.githubusercontent.com *.github.com *.algolia.net *.algolianet.com *.apachecon.com *.communityovercode.org 'unsafe-inline' 'unsafe-eval'; frame-src 'self' data: blob:; frame-ancestors 'self'; worker-src 'self' data: blob:; img-src 'self' blob: data: https: *.apache.org www.apachecon.com; style-src 'self' 'unsafe-inline' data:;"

The Content-Security-Policy header must not be overridden.

There is now a standard way to add local exceptions to the CSP:

https://infra.apache.org/tools/csp.html

You need to get approval before adding any domains. Also please document such approval in the .htaccess file.

The following are already included in the default:

https://www.apachecon.com/
https://www.communityovercode.org/
https://*.apache.org/
https://apache.org/
https://*.scarf.sh/

[CritasWang]

So do these need to be applied for separately?

CSP permissions for foo.apache.org - Adding 3rd party service Algolia. Approved by VP Data Privacy.

SetEnv CSP_PROJECT_DOMAINS "https://.algolia.net/ https://.algolianet.com/ https://*.algolia.io/"

[sebbASF]

The document says:

"Each additional host you add MUST have been pre-approved by VP Data Privacy (privacy@apache.org), and SHOULD have an accompanying comment in the .htaccess file explaining why the CSP is changed and where permission was obtained."