(arrow-site) branch main updated: Try fix Content Security Policy errors (take 7) (#601)

Thu, 20 Feb 2025 09:41:41 -0800 

This is an automated email from the ASF dual-hosted git repository.

ianmcook pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/arrow-site.git


The following commit(s) were added to refs/heads/main by this push:
     new 42744eac780 Try fix Content Security Policy errors (take 7) (#601)
42744eac780 is described below

commit 42744eac780a60484afe4eaa0c54e2148cd0ba36
Author: Ian Cook <[email protected]>
AuthorDate: Thu Feb 20 10:41:32 2025 -0700

    Try fix Content Security Policy errors (take 7) (#601)
---
 .htaccess          | 12 ------------
 _includes/top.html | 10 ++++++++++
 2 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/.htaccess b/.htaccess
index e891c2acb92..327ebb6c3c7 100644
--- a/.htaccess
+++ b/.htaccess
@@ -24,15 +24,3 @@ Redirect permanent /datafusion-python 
https://datafusion.apache.org/python
 
 # redirect all ballista URLs to new website
 Redirect permanent /ballista https://datafusion.apache.org/ballista
-
-# fix Safari Content Security Policy errors
-Header unset Content-Security-Policy
-Header add Content-Security-Policy "default-src 'self' data: blob: 
'unsafe-inline' https://www.apachecon.com/ https://www.communityovercode.org/ 
https://analytics.apache.org/; \
- connect-src 'self' https://*.apache.org/ https://api.github.com/; \
- script-src 'self' 'unsafe-inline' 'unsafe-eval' 
https://analytics.apache.org/; \
- style-src 'self' 'unsafe-inline' data: https://fonts.googleapis.com/; \
- frame-ancestors 'self'; \
- frame-src 'self' data: blob:; \
- img-src 'self' data: https://*.apache.org/; \
- worker-src 'self' data: blob:; \
- font-src 'self' https://fonts.gstatic.com/;";
diff --git a/_includes/top.html b/_includes/top.html
index 1c9ae0bfaf7..9b21a757382 100644
--- a/_includes/top.html
+++ b/_includes/top.html
@@ -3,6 +3,16 @@
   <head>
     <meta charset="UTF-8">
     <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta http-equiv="Content-Security-Policy-Report-Only" content="
+      default-src 'self' data: blob: https://*.apache.org/ 
https://www.apachecon.com/ https://www.communityovercode.org/;
+      script-src 'self' https://*.apache.org/ 
'sha256-zcLnLb0EtdHEeff3LAr93euk343CTrN0BMhlaeAD8yY=' 
'sha256-eeHr1PLkM55qPqkpxjBDHGtxfQf3RvEYoENHzN4IL0Q=';
+      style-src 'self' https://fonts.googleapis.com/ 
'sha256-88sV2hhBstoYcag54b2hPpN+Oei7wd2Roz3k+RXEAfk=' 
'sha256-B3D8HD6PV1HtGZ5Z3qkXsN6p/LAiwBn9jehRuPkMBhQ=' 
'sha256-qo7STIM1L/OgU9y0De47mqod1UZFLJfTn36bRC42rfA=';
+      frame-ancestors 'self';
+      frame-src 'self' data: blob:;
+      img-src 'self' data: https://*.apache.org/;
+      worker-src 'self' data: blob:;
+      connect-src 'self' https://*.apache.org/ https://api.github.com/;
+      font-src 'self' https://*.apache.org/ https://fonts.gstatic.com/;";>
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <!-- The above meta tags *must* come first in the head; any other head 
content must come *after* these tags -->
     {% if page.title %}

Reply via email to