sebbASF commented on PR #47: URL: https://github.com/apache/privacy-website/pull/47#issuecomment-2801256103
I'd not seen that reference; it would help to document the reason for the override in the file for future maintainers. Why is that exemption not in the default CSP? Is it only needed for the privacy site? Also note that the ```Header set``` command completely replaces the standard CSP. AFAICT this means that basically everything is allowed, which I don't think was the intention. Either the standard CSP needs to allow for the frame (if appropriate) or the privacy override needs to ensure it preserves other aspects of the standard policy. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
