This does not work for me: https://freemarker.apache.org/docs/search-results.html?q=hello I have tested in Chrome and FireFox. When looking in the console, I can see CSP errors, even for https://freemarker.apache.org/
I assume the search problem is due to this one (Google Programmable Search Engine / Google Custom Search): search-results.html?q=hello:52 Refused to load the script 'https://cse.google.com/cse.js?cx=003127866208504630097:arjqbv_znfw' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://analytics.apache.org/ https://www.apachecon.com/";. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback. Looking at the response headers I see: Content-Security-Policy: default-src 'self' data: blob: 'unsafe-inline' https://www.apachecon.com/ https://www.communityovercode.org/ https://analytics.apache.org/; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://analytics.apache.org/ https://www.apachecon.com/; style-src 'self' 'unsafe-inline' data:; frame-ancestors 'self'; frame-src 'self' data: blob:; img-src 'self' data: https://*.apache.org/ https://www.apachecon.com/; worker-src 'self' data: blob:; I assume the following is related: https://infra.apache.org/csp.html (effective March 1, 2025) Reading https://privacy.apache.org/policies/website-policy.html: "Assets (JavaScript files or snippets, images, fonts, CSS, etc.) from other domains cannot be loaded. All assets need to be hosted on ASF servers." Regards, Simon
