[Website] Fix Content-Security-Policy header configuration #726
Conversation
|
Preview URL: https://thisisnic.github.io/arrow-site If the preview URL doesn't work, you may forget to configure your fork repository for preview. |
|
There is no need to add https://proxy.kapa.ai/ etc as they are included in https://*.kapa.ai/ Also, INFRA-26638 only relates to kapa.ai; you need to get approval before adding any other exceptions. |
|
Thanks @sebbASF - where can I find out which ones are included as the default so I can check the others? |
|
The default is currently: default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://www.apachecon.com/ https://www.communityovercode.org/ https://.apache.org/ https://apache.org/ https://.scarf.sh/ ; script-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://www.apachecon.com/ https://www.communityovercode.org/ https://.apache.org/ https://apache.org/ https://.scarf.sh/ ; style-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://www.apachecon.com/ https://www.communityovercode.org/ https://.apache.org/ https://apache.org/ https://.scarf.sh/ ; frame-ancestors 'self'; frame-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://www.apachecon.com/ https://www.communityovercode.org/ https://.apache.org/ https://apache.org/ https://.scarf.sh/ ; worker-src 'self' data: blob:; [I've added extra line-breaks to make it clearer] I don't think this is documented anywhere (yet), but can be found by checking any site that does not use an override. $ curl -fsSIL https://whimsy.apache.org | grep -i 'policy' |
| </IfModule> | ||
| # Content-Security-Policy exceptions (see https://infra.apache.org/tools/csp.html) | ||
| # kapa.ai domains approved in https://issues.apache.org/jira/browse/INFRA-26638 | ||
| SetEnv CSP_PROJECT_DOMAINS "https://*.kapa.ai/ https://widget.kapa.ai/ https://proxy.kapa.ai/ https://kapa-widget-proxy-la7.kapa.ai/ https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app/ https://metrics.kapa.ai/ https://www.gstatic.com/ https://www.google.com/ https://www.recaptcha.net/ https://recaptcha.net/ https://www.apachecon.com/ https://www.communityovercode.org/" |
There was a problem hiding this comment.
You don't need https://xxxetc.kapa.ai/ as that is covered by https://*.kapa.ai/
Also note that there are specific requirements for kapa.ai:
https://privacy.apache.org/faq/committers.html#can-i-use-kapaai-on-our-website-answer-machine
https://www.apachecon.com/ and https://www.communityovercode.org/ are covered in the default CSP
The other hosts need approval from privacy before they can be used.
2 participants
Switches from directly setting the Content-Security-Policy header to using Apache Infra's recommended SetEnv CSP_PROJECT_DOMAINS approach. This resolves issue #723 by adding CSP exceptions rather than overriding the entire header.
Approval: https://issues.apache.org/jira/browse/INFRA-26638
We should test this when we merge it in case it breaks anything, as per previous updates with this.