rusackas commented on code in PR #36685: URL: https://github.com/apache/superset/pull/36685#discussion_r3210745446
########## docs/static/.htaccess: ########## @@ -22,7 +22,14 @@ RewriteRule ^(.*)$ https://superset.apache.org/$1 [R,L] RewriteCond %{HTTP_HOST} ^superset.incubator.apache.org$ [NC] RewriteRule ^(.*)$ https://superset.apache.org/$1 [R=301,L] -Header set Content-Security-Policy "default-src data: blob: 'self' *.apache.org widget.kapa.ai *.githubusercontent.com *.scarf.sh *.googleapis.com *.google.com *.run.app *.gstatic.com *.github.com *.algolia.net *.algolianet.com 'unsafe-inline' 'unsafe-eval'; frame-src *; frame-ancestors 'self' *.google.com https://sidebar.bugherd.com; form-action 'self'; worker-src blob:; img-src 'self' blob: data: https:; font-src 'self'; object-src 'none'" +# CSP permissions for superset.apache.org +# Additional domains required for docs site functionality: +# - widget.kapa.ai: AI chatbot widget (uses Google reCAPTCHA) +# - *.googleapis.com, *.google.com, *.gstatic.com: Google Calendar embed, kapa.ai reCAPTCHA +# - *.github.com, *.githubusercontent.com: GitHub user-attachment images in docs +# - *.algolia.net, *.algolianet.com: Algolia DocSearch +# See: https://infra.apache.org/tools/csp.html +SetEnv CSP_PROJECT_DOMAINS "widget.kapa.ai https://*.googleapis.com/ https://*.google.com/ https://*.gstatic.com/ https://*.github.com/ https://*.githubusercontent.com/ https://*.algolia.net/ https://*.algolianet.com/"; Review Comment: ```suggestion # Additional domains required for docs site functionality: # - widget.kapa.ai: AI chatbot widget (uses Google reCAPTCHA). Approval here: https://privacy.apache.org/faq/committers.html # - *.googleapis.com, *.google.com, *.gstatic.com: Google Calendar embed, kapa.ai reCAPTCHA - all of these loaded with user consent, following policy laid out in https://privacy.apache.org/faq/committers.html # - *.github.com, *.githubusercontent.com: GitHub user-attachment images in docs. Discussed/resolved in this thread: https://issues.apache.org/jira/browse/INFRA-25701?filter=-2 (DPA in place with GitHub) # - *.algolia.net, *.algolianet.com: Algolia DocSearch. Approved here: https://privacy.apache.org/faq/committers.html # See: https://infra.apache.org/tools/csp.html SetEnv CSP_PROJECT_DOMAINS "widget.kapa.ai https://*.googleapis.com/ https://*.google.com/ https://*.gstatic.com/ https://*.github.com/ https://*.githubusercontent.com/ https://*.algolia.net/ https://*.algolianet.com/"; ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
