junrushao commented on PR #193: URL: https://github.com/apache/tvm-ffi/pull/193#issuecomment-3449115370
Here's what chatgpt says: This happens because the published site is trying to load your SVG **from a third‑party origin** (`raw.githubusercontent.com`). That works on your machine (no strict security headers), but on `tvm.apache.org` the page is served with a **Content Security Policy (CSP)** that disallows embedding external resources. The source of the page shows the `figure` still points at the GitHub raw URL, so the browser must fetch it cross‑origin; ASF’s website policy (effective Mar 1, 2025) explicitly restricts embedding third‑party content, which is why it fails on the live site. ([[tvm.apache.org](https://tvm.apache.org/ffi/_sources/get_started/stable_c_abi.rst)][1]) ### Best fix (recommended) **Serve the image from the docs site itself (no hotlinking).** 1. Put the SVG under your Sphinx source tree, e.g. `docs/_static/img/tvm-ffi/stable-c-abi-layout-any.svg`. 2. Change the directive to a **local** path (relative to the `.rst` file): ```rst .. figure:: ../_static/img/tvm-ffi/stable-c-abi-layout-any.svg :alt: Layout of the 128-bit Any tagged union :name: fig:layout-any ``` Sphinx will copy local images into the build output and rewrite the `<img src>` to a same‑origin URL, so CSP is satisfied. ([[JetBrains](https://www.jetbrains.com/guide/python/tutorials/sphinx_sites/more_authoring/?utm_source=chatgpt.com)][2]) > Tip: You don’t have to use `_static`; any folder under the Sphinx source works. Sphinx will place the files into `_images` in the HTML build. ### If you need a single source of truth for images (but still comply with CSP) **Option A — Git submodule or sync step** * Add the shared image repo as a submodule and reference the files locally: ```bash git submodule add https://github.com/tlc-pack/web-data docs/_static/web-data ``` Then in your `.rst`: ```rst .. figure:: ../_static/web-data/images/tvm-ffi/stable-c-abi-layout-any.svg :alt: Layout of the 128-bit Any tagged union :name: fig:layout-any ``` Or add a pre‑build step (in CI) that `curl/wget`s the assets into your docs tree before `sphinx-build`. End result is still a same‑origin image. **Option B — Have Sphinx download remote images at build time** If you really want to keep URLs in the docs, use an extension that **downloads** remote images during the build and serves them locally. * Install and enable [`[sphinxcontrib-images](https://pypi.org/project/sphinxcontrib-images/)`](https://pypi.org/project/sphinxcontrib-images/): ```python # conf.py extensions = ['sphinxcontrib.images'] images_config = { 'download': True, # ensure remote images are fetched 'cache_path': '_images', # where to keep downloaded assets } ``` Then use its `thumbnail` directive (or override the default `image` handling) so the URL is fetched and stored into your build’s `_images/`, avoiding CSP issues. Note: thumbnails aren’t numbered like `figure`s; if you rely on `:numref:`, stick with local files + `figure`. ([[sphinxcontrib-images.readthedocs.io](https://sphinxcontrib-images.readthedocs.io/)][3]) ### What not to do (or why the current approach breaks) * Keeping `.. figure:: https://raw.githubusercontent.com/...` relies on cross‑origin loads. ASF’s CSP forbids embedding third‑party content on project sites, so this will continue to fail on `tvm.apache.org`. ([[infra.apache.org](https://infra.apache.org/csp.html)][4]) * The `?sanitize=true` on GitHub SVGs doesn’t help with CSP; it only affects how GitHub serves the SVG. The CSP check happens in the **browser** on `tvm.apache.org`. ### Bonus: if you also build PDF LaTeX can’t embed SVG directly. If you keep SVGs, add one of these to `conf.py` so PDF builds keep working: ```python extensions += ['sphinx.ext.imgconverter'] # uses ImageMagick # or extensions += ['sphinxcontrib.rsvgconverter'] # converts SVG -> PDF ``` ([[sphinx-doc.org](https://www.sphinx-doc.org/en/master/usage/extensions/imgconverter.html?utm_source=chatgpt.com)][5]) --- **Bottom line:** Move (or vend) the image into the docs repository and reference it locally. That’s the simplest, CSP‑compliant, and most robust fix for `tvm.apache.org`. [1]: https://tvm.apache.org/ffi/_sources/get_started/stable_c_abi.rst "tvm.apache.org" [2]: https://www.jetbrains.com/guide/python/tutorials/sphinx_sites/more_authoring/?utm_source=chatgpt.com "More Authoring - JetBrains Guide" [3]: https://sphinxcontrib-images.readthedocs.io/ "sphinxcontrib-images 1.0.1 — sphinxcontrib-images 1 documentation" [4]: https://infra.apache.org/csp.html "Content Security Policy for project websites - Apache Infrastructure Website" [5]: https://www.sphinx-doc.org/en/master/usage/extensions/imgconverter.html?utm_source=chatgpt.com "A reference image converter using Imagemagick" -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
