Radu Cotescu created SLING-12650:
------------------------------------
Summary: Newly applied ASF-wide CSP policies break the Sling
website
Key: SLING-12650
URL: https://issues.apache.org/jira/browse/SLING-12650
Project: Sling
Issue Type: Bug
Components: Site
Reporter: Radu Cotescu
The CSP added via https://github.com/apache/infrastructure-p6/pull/2025/files
only allow resources served by the ASF servers to be loaded by the browser.
This breaks the Sling website:
{noformat}
Refused to load the stylesheet
'https://cdnjs.cloudflare.com/ajax/libs/bulma/0.7.5/css/bulma.min.css' because
it violates the following Content Security Policy directive: "style-src 'self'
'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so
'style-src' is used as a fallback.
apache-sling-eventing-and-job-handling.html:1 Refused to load the script
'https://www.apachecon.com/event-images/snippet.js' because it violates the
following Content Security Policy directive: "script-src 'self' 'unsafe-inline'
'unsafe-eval' https://analytics.apache.org/";. Note that 'script-src-elem' was
not explicitly set, so 'script-src' is used as a fallback.
apache-sling-eventing-and-job-handling.html:8 Refused to load the stylesheet
'https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/default.min.css'
because it violates the following Content Security Policy directive:
"style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not
explicitly set, so 'style-src' is used as a fallback.
apache-sling-eventing-and-job-handling.html:1 Refused to load the script
'https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/highlight.min.js'
because it violates the following Content Security Policy directive:
"script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://analytics.apache.org/";. Note that 'script-src-elem' was not explicitly
set, so 'script-src' is used as a fallback.
apache-sling-eventing-and-job-handling.html:10 Uncaught ReferenceError: hljs is
not defined
at apache-sling-eventing-and-job-handling.html:10:13
apache-sling-eventing-and-job-handling.html:26 Refused to load the script
'https://matomo.privacy.apache.org/matomo.js' because it violates the following
Content Security Policy directive: "script-src 'self' 'unsafe-inline'
'unsafe-eval' https://analytics.apache.org/";. Note that 'script-src-elem' was
not explicitly set, so 'script-src' is used as a fallback.
(anonymous) @ apache-sling-eventing-and-job-handling.html:26
apache-sling-eventing-and-job-handling.html:1 Refused to load the image
'data:image/svg+xml,%3Csvg width='18' height='18' viewBox='0 0 18 18'
fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M12.7549
11.255H11.9649L11.6849 10.985C12.6649 9.845 13.2549 8.365 13.2549 6.755C13.2549
3.165 10.3449 0.255005 6.75488 0.255005C3.16488 0.255005 0.254883 3.165
0.254883 6.755C0.254883 10.345 3.16488 13.255 6.75488 13.255C8.36488 13.255
9.84488 12.665 10.9849 11.685L11.2549 11.965V12.755L16.2549 17.745L17.7449
16.255L12.7549 11.255ZM6.75488 11.255C4.26488 11.255 2.25488 9.245 2.25488
6.755C2.25488 4.26501 4.26488 2.255 6.75488 2.255C9.24488 2.255 11.2549 4.26501
11.2549 6.755C11.2549 9.245 9.24488 11.255 6.75488 11.255Z'
fill='%23000000'/%3E%3C/svg%3E%0A' because it violates the following Content
Security Policy directive: "img-src 'self' https://www.apache.org/";.
apache-sling-eventing-and-job-handling.html:1 Refused to load the stylesheet
'https://cdnjs.cloudflare.com/ajax/libs/bulma/0.7.5/css/bulma.min.css' because
it violates the following Content Security Policy directive: "style-src 'self'
'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so
'style-src' is used as a fallback.
apache-sling-eventing-and-job-handling.html:1 Refused to load the stylesheet
'https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/default.min.css'
because it violates the following Content Security Policy directive:
"style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not
explicitly set, so 'style-src' is used as a fallback.
{noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
