Re: [PR] Fix content security policy [airflow-site]

Sat, 27 Dec 2025 03:00:11 -0800 


Copilot commented on code in PR #1353:
URL: https://github.com/apache/airflow-site/pull/1353#discussion_r2649084920


##########
sphinx_airflow_theme/sphinx_airflow_theme/layout.html:
##########
@@ -257,6 +257,22 @@
         <meta http-equiv="Content-Type" content="text/html; charset={{ 
encoding }}" />
     {%- endif %}
     <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta http-equiv="Content-Security-Policy" content="
+      default-src 'self';
+      script-src 'self' 'unsafe-inline' 'unsafe-eval'

Review Comment:
   The use of 'unsafe-inline' and 'unsafe-eval' in the script-src directive 
significantly weakens the Content Security Policy, as they allow inline scripts 
and eval() usage which are common XSS attack vectors. Consider using nonces or 
hashes for inline scripts instead of 'unsafe-inline', and refactor code to 
eliminate the need for 'unsafe-eval'. If these are required for third-party 
dependencies or Sphinx functionality, document why they are necessary and 
consider if they can be scoped more narrowly.
   ```suggestion
         script-src 'self'
   ```



##########
sphinx_airflow_theme/sphinx_airflow_theme/layout.html:
##########
@@ -257,6 +257,22 @@
         <meta http-equiv="Content-Type" content="text/html; charset={{ 
encoding }}" />
     {%- endif %}
     <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta http-equiv="Content-Security-Policy" content="
+      default-src 'self';
+      script-src 'self' 'unsafe-inline' 'unsafe-eval'
+        https://www.apachecon.com
+        https://www.communityovercode.org
+        https://*.apache.org
+        https://*.scarf.sh;
+      style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;

Review Comment:
   The use of 'unsafe-inline' in the style-src directive weakens the Content 
Security Policy by allowing inline styles, which can be exploited for certain 
attacks. Consider using nonces or hashes for inline styles, or moving styles to 
external stylesheets. If 'unsafe-inline' is required for Sphinx functionality 
or third-party dependencies, document the necessity.
   ```suggestion
         style-src 'self' https://fonts.googleapis.com;
   ```



##########
sphinx_airflow_theme/sphinx_airflow_theme/layout.html:
##########
@@ -257,6 +257,22 @@
         <meta http-equiv="Content-Type" content="text/html; charset={{ 
encoding }}" />
     {%- endif %}
     <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta http-equiv="Content-Security-Policy" content="
+      default-src 'self';
+      script-src 'self' 'unsafe-inline' 'unsafe-eval'
+        https://www.apachecon.com
+        https://www.communityovercode.org
+        https://*.apache.org
+        https://*.scarf.sh;
+      style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
+      font-src 'self' https://fonts.gstatic.com data:;
+      img-src 'self' data: https://*.apache.org https://*.scarf.sh;
+      connect-src 'self' https://*.apache.org https://*.scarf.sh;
+      frame-ancestors 'none';
+      object-src 'none';
+      base-uri 'self';
+      form-action 'self';

Review Comment:
   The viewport meta tag has been removed but this is essential for responsive 
design on mobile devices. The CSP meta tag should be added without removing the 
viewport meta tag. Add back the line:
   `<meta name="viewport" content="width=device-width, initial-scale=1">`



##########
sphinx_airflow_theme/sphinx_airflow_theme/layout.html:
##########
@@ -257,6 +257,22 @@
         <meta http-equiv="Content-Type" content="text/html; charset={{ 
encoding }}" />
     {%- endif %}
     <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta http-equiv="Content-Security-Policy" content="
+      default-src 'self';
+      script-src 'self' 'unsafe-inline' 'unsafe-eval'
+        https://www.apachecon.com
+        https://www.communityovercode.org
+        https://*.apache.org
+        https://*.scarf.sh;
+      style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
+      font-src 'self' https://fonts.gstatic.com data:;
+      img-src 'self' data: https://*.apache.org https://*.scarf.sh;
+      connect-src 'self' https://*.apache.org https://*.scarf.sh;
+      frame-ancestors 'none';
+      object-src 'none';
+      base-uri 'self';
+      form-action 'self';
+    ">

Review Comment:
   The CSP meta tag has inconsistent indentation. The opening line uses 4 
spaces, but the policy directives use 6 spaces. For better readability and 
consistency, align all directives with the same indentation level, or consider 
placing the entire CSP on a single line to avoid formatting issues.
   ```suggestion
       <meta http-equiv="Content-Security-Policy" content="default-src 'self'; 
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.apachecon.com 
https://www.communityovercode.org https://*.apache.org https://*.scarf.sh; 
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' 
https://fonts.gstatic.com data:; img-src 'self' data: https://*.apache.org 
https://*.scarf.sh; connect-src 'self' https://*.apache.org https://*.scarf.sh; 
frame-ancestors 'none'; object-src 'none'; base-uri 'self'; form-action 
'self';">
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to