zregvart commented on issue #1427: URL: https://github.com/apache/camel-website/issues/1427#issuecomment-3450792920
I think the policy we have in place is stricter than the ASF default one. Have a look at the [current infra setting](https://github.com/apache/infrastructure-p6/blob/cc39fd5ff7dbe674bd2bc372df9fca6ec03a4b05/modules/csp_cors/manifests/init.pp) I think we might not need `form-action 'self'`, can tolerate changing `frame-ancestors 'none'` to `frame-ancestors 'self'`, removing `upgrade-insecure-requests`, and I think the `connect-src`, `img-src` and `child-src` that we have set very strictly, can be replaced with `script-src`, `style-src` and `frame-src` set broadly to `CSP_PROJECT_DOMAINS` with some caveats: We should note that this would allow algolianet.com, algolianet.net or githubusercontent.com to inject a frame, which we do not allow under the current CSP. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
