Re: [I] The Content-Security-Policy header must not be overridden [beam]

Tue, 25 Nov 2025 07:58:14 -0800 


shunping commented on issue #36622:
URL: https://github.com/apache/beam/issues/36622#issuecomment-3576366598

   > In case it helps, I've just updated the Attic Docker image to make it easy 
to test the effect of using CSP_PROJECT_DOMAINS.
   > 
   > Details are in https://github.com/apache/attic/blob/main/DOCKER.md
   > 
   > The basic commands are:
   > 
   > docker compose build
   > 
   > VAR_HOSTURL=https://beam.apache.org CSP_PROJECT_DOMAINS="host1 host2" 
docker compose up
   > 
   > Navigate to localhost:8000
   > 
   > If you enable browser debugging, you should be able to see if there are 
any CSP errors in the console log.
   
   I followed the instructions and was able to find the lists of things that 
are currently violating the CSP.
   
   - Violation to `Content Security Policy directive: "style-src 'self' data: 
blob: 'unsafe-inline' 'unsafe-eval' https://www.apachecon.com/ 
https://www.communityovercode.org/ https://*.apache.org/ https://apache.org/ 
https://*.scarf.sh/  https://play.beam.apache.org/ https://www.youtube.com/ 
https://drive.google.com/"`
     - https://fonts.googleapis.com/css?family=Roboto:100,300,400,500,700
     - https://use.fontawesome.com/releases/v5.4.1/css/all.css
     - https://unpkg.com/swiper@8/swiper-bundle.min.css
   - Violation to `Content Security Policy directive: "script-src 'self' data: 
blob: 'unsafe-inline' 'unsafe-eval' https://www.apachecon.com/ 
https://www.communityovercode.org/ https://*.apache.org/ https://apache.org/ 
https://*.scarf.sh/  https://play.beam.apache.org/ https://www.youtube.com/ 
https://drive.google.com/"`
     - https://code.jquery.com/jquery-2.2.4.min.js
     - https://platform.twitter.com/widgets.js
     - https://static.hotjar.com/c/hotjar-2182187.js?sv=6
     - https://cse.google.com/cse.js?cx=012923275103528129024:4emlchv9wzi
   - Violation to `Content Security Policy directive: "default-src 'self' data: 
blob: 'unsafe-inline' 'unsafe-eval' https://www.apachecon.com/ 
https://www.communityovercode.org/ https://*.apache.org/ https://apache.org/ 
https://*.scarf.sh/  https://play.beam.apache.org/ https://www.youtube.com/ 
https://drive.google.com/"`
     - https://fonts.gstatic.com/{googlesymbols, googlematerialicons, 
googlesans, googlesanstext}  


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to