This is an automated email from the ASF dual-hosted git repository. rusackas pushed a commit to branch more-csp-mess in repository https://gitbox.apache.org/repos/asf/superset.git
commit fdc7792866e970ddd88416d998b92e95b1991ad7 Author: Evan Rusackas <[email protected]> AuthorDate: Tue Feb 27 13:05:25 2024 -0700 fix(docs): remving meta tag CSP, poking more holes in htaccess --- docs/docusaurus.config.js | 1 - docs/static/.htaccess | 12 +++++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/docs/docusaurus.config.js b/docs/docusaurus.config.js index 5bd6feadaa..d7dc1c931c 100644 --- a/docs/docusaurus.config.js +++ b/docs/docusaurus.config.js @@ -261,7 +261,6 @@ const config = { theme: lightCodeTheme, darkTheme: darkCodeTheme, }, - metadata: [{name: 'Content-Security-Policy', content: "default-src 'self'; frame-src 'https://calendar.google.com/' 'https://preset.io/' 'https://sidebar.bugherd.com/';"}], }), scripts: [ '/script/matomo.js', diff --git a/docs/static/.htaccess b/docs/static/.htaccess index 3f16f4519d..2fb74995a1 100644 --- a/docs/static/.htaccess +++ b/docs/static/.htaccess @@ -22,4 +22,14 @@ RewriteRule ^(.*)$ https://superset.apache.org/$1 [R,L] RewriteCond %{HTTP_HOST} ^superset.incubator.apache.org$ [NC] RewriteRule ^(.*)$ https://superset.apache.org/$1 [R=301,L] -Header set Content-Security-Policy "default-src 'self'; frame-src 'https://calendar.google.com/' 'https://preset.io/' 'https://sidebar.bugherd.com/' 'https://unpkg.com/';" +Header set Content-Security-Policy "default-src 'self'; img-src *;" + +Header set Content-Security-Policy "default-src 'self'; \ +script-src 'self'; \ +img-src 'self' https://static.scarf.sh *; \ +style-src 'self' https://fonts.googleapis.com; \ +script-src-elem 'self' https://www.googletagmanager.com https://www.google-analytics.com; \ +style-src-elem 'self' https://fonts.googleapis.com; \ +font-src 'self' https://fonts.gstatic.com; \ +frame-src 'self' https://calendar.google.com https://preset.io https://sidebar.bugherd.com 'https://unpkg.com; \ +"
