An option could be https://pagefind.app/ It generates a local index at build time (e.g. using Github actions) by indexing the generated documentation's html. Adding search to the website requires a div with a specific id and a little JS snippet which is served from freemarker itself. The search looks and works like on the website above.
regarding CSP they require script-src 'unsafe-eval' https://pagefind.app/docs/hosting/#content-security-policy-csp I have implemented this in two sites recently via github actions similar to this: https://willschenk.com/labnotes/2023/indexing_a_hugo_site_using_pagefind/#headline-3 If something like this is wanted, I could try to help. Christoph Am Mo., 24. März 2025 um 21:45 Uhr schrieb Daniel Dekany < daniel.dek...@gmail.com>: > Ouch. If we are not supposed to call external services, then I believe we > can't solve on site search with Google. Well, I could send the form to > google.com with site:freemarker.apache.org though... kind of lame. Note > sure if there's a common solution for this at Apache. > > Also there's a font we load from CDN apparently, and now that's also > blocked. Had to check the licence to decide if we can store it locally > (because then it has to be part of the source code too). > > On Mon, Mar 24, 2025 at 3:39 PM Simon Hartley > <scrhart...@yahoo.co.uk.invalid> wrote: > > > This does not work for me: > > https://freemarker.apache.org/docs/search-results.html?q=hello > > I have tested in Chrome and FireFox. > > When looking in the console, I can see CSP errors, even for > > https://freemarker.apache.org/ > > > > I assume the search problem is due to this one (Google Programmable > Search > > Engine / Google Custom Search): > > search-results.html?q=hello:52 Refused to load the script ' > > https://cse.google.com/cse.js?cx=003127866208504630097:arjqbv_znfw' > > because it violates the following Content Security Policy directive: > > "script-src 'self' 'unsafe-inline' 'unsafe-eval' > > https://analytics.apache.org/ https://www.apachecon.com/";. Note that > > 'script-src-elem' was not explicitly set, so 'script-src' is used as a > > fallback. > > > > Looking at the response headers I see: > > Content-Security-Policy: > > default-src 'self' data: blob: 'unsafe-inline' > https://www.apachecon.com/ > > https://www.communityovercode.org/ https://analytics.apache.org/; > > script-src 'self' 'unsafe-inline' 'unsafe-eval' > > https://analytics.apache.org/ https://www.apachecon.com/; style-src > > 'self' 'unsafe-inline' data:; frame-ancestors 'self'; frame-src 'self' > > data: blob:; img-src 'self' data: https://*.apache.org/ > > https://www.apachecon.com/; worker-src 'self' data: blob:; > > > > I assume the following is related: https://infra.apache.org/csp.html > (effective March > > 1, 2025) > > Reading https://privacy.apache.org/policies/website-policy.html: > > "Assets (JavaScript files or snippets, images, fonts, CSS, etc.) from > > other domains cannot be loaded. All assets need to be hosted on ASF > > servers." > > > > Regards, > > Simon > > > > > -- > Best regards, > Daniel Dekany >
