FYI
-------- Message transféré -------- Sujet : [NOTICE] New Content Security Policy for all ASF project websites Date : Sat, 11 Jan 2025 23:16:27 +0100 De : Daniel Gruno <humbed...@apache.org> Répondre à : us...@infra.apache.org Pour : annou...@infra.apache.org Hello, wonderful ASF projects (via annou...@infra.apache.org), In keeping with the times, evermore focused on respecting the privacy and security of our users, we will be enforcing a Content Security Policy (CSP) for all project websites as of March 1st, 2025. On February 1st, we will begin a brownout, during which we will turn on the new CSP briefly, then turn it off again, giving people a chance to detect and report any elements on websites that have stopped working as a result. On March 1st, the new CSP will become permanent. In its condensed form, what this means for your project website is: - External trackers from 3rd party providers are NO LONGER allowed[1]. - External resources from providers with which we do not have a Data Processing Agreement (DPA) are NO LONGER allowed[2]. This change will bring project websites into alignment with the security and privacy parameters[3] as defined by the VP, Data Privacy and requested by the ASF Security Committee. We ask that projects do not circumvent them without express permission from our VP, Data Privacy. We understand that this may cause disruption to some sites and are as always willing to help projects adjust their sites to meet the new mandates. We also wish to note that the most commonly asked questions can be answered by the three footnotes at the bottom of this email. if you have questions surrounding the technical implementation of the CSP, send them to us at us...@infra.apache.org. For the implementation itself, and the new limitations imposed on websites, please refer to the following pull request for details: https://github.com/apache/infrastructure-p6/pull/2025/files If you have any questions about existing privacy agreements or privacy policies, get in touch with priv...@apache.org. Any additions to our existing website privacy policy should also be suggested here. We also welcome you to read up on our current privacy policies at: https://privacy.apache.org/ With regards, Daniel on behalf of ASF Infra. [1] The ASF offers Matomo analytics for all project websites through https://analytics.apache.org/ [2] If you have a DPA request or inquiry, contact priv...@apache.org They can also tell you if a provider already signed a DPA [3] https://privacy.apache.org/policies/website-policy.html
