Depends on if we can actually re-enable using these external services. (See other answer.) If we can't, then yes, we should try this.
On Mon, Mar 24, 2025 at 10:15 PM Christoph Rueger <crue...@apache.org> wrote: > An option could be https://pagefind.app/ > It generates a local index at build time (e.g. using Github actions) by > indexing the generated documentation's html. > Adding search to the website requires a div with a specific id and a little > JS snippet which is served from freemarker itself. > The search looks and works like on the website above. > > regarding CSP they require > script-src 'unsafe-eval' > https://pagefind.app/docs/hosting/#content-security-policy-csp > > I have implemented this in two sites recently via github actions similar to > this: > > https://willschenk.com/labnotes/2023/indexing_a_hugo_site_using_pagefind/#headline-3 > > If something like this is wanted, I could try to help. > > Christoph > > Am Mo., 24. März 2025 um 21:45 Uhr schrieb Daniel Dekany < > daniel.dek...@gmail.com>: > > > Ouch. If we are not supposed to call external services, then I believe we > > can't solve on site search with Google. Well, I could send the form to > > google.com with site:freemarker.apache.org though... kind of lame. Note > > sure if there's a common solution for this at Apache. > > > > Also there's a font we load from CDN apparently, and now that's also > > blocked. Had to check the licence to decide if we can store it locally > > (because then it has to be part of the source code too). > > > > On Mon, Mar 24, 2025 at 3:39 PM Simon Hartley > > <scrhart...@yahoo.co.uk.invalid> wrote: > > > > > This does not work for me: > > > https://freemarker.apache.org/docs/search-results.html?q=hello > > > I have tested in Chrome and FireFox. > > > When looking in the console, I can see CSP errors, even for > > > https://freemarker.apache.org/ > > > > > > I assume the search problem is due to this one (Google Programmable > > Search > > > Engine / Google Custom Search): > > > search-results.html?q=hello:52 Refused to load the script ' > > > https://cse.google.com/cse.js?cx=003127866208504630097:arjqbv_znfw' > > > because it violates the following Content Security Policy directive: > > > "script-src 'self' 'unsafe-inline' 'unsafe-eval' > > > https://analytics.apache.org/ https://www.apachecon.com/";. Note that > > > 'script-src-elem' was not explicitly set, so 'script-src' is used as a > > > fallback. > > > > > > Looking at the response headers I see: > > > Content-Security-Policy: > > > default-src 'self' data: blob: 'unsafe-inline' > > https://www.apachecon.com/ > > > https://www.communityovercode.org/ https://analytics.apache.org/; > > > script-src 'self' 'unsafe-inline' 'unsafe-eval' > > > https://analytics.apache.org/ https://www.apachecon.com/; style-src > > > 'self' 'unsafe-inline' data:; frame-ancestors 'self'; frame-src 'self' > > > data: blob:; img-src 'self' data: https://*.apache.org/ > > > https://www.apachecon.com/; worker-src 'self' data: blob:; > > > > > > I assume the following is related: https://infra.apache.org/csp.html > > (effective March > > > 1, 2025) > > > Reading https://privacy.apache.org/policies/website-policy.html: > > > "Assets (JavaScript files or snippets, images, fonts, CSS, etc.) from > > > other domains cannot be loaded. All assets need to be hosted on ASF > > > servers." > > > > > > Regards, > > > Simon > > > > > > > > > -- > > Best regards, > > Daniel Dekany > > > -- Best regards, Daniel Dekany
