The Content-Security-Policy header must not be overridden

[sebbASF]

apisix-website/.htaccess

Line 21 in 0435d6f

Header set Content-Security-Policy "frame-src 'self' https://www.google.com https://app.netlify.com"

The Content-Security-Policy header must not be overridden.

There is now a standard way to add local exceptions to the CSP:

https://infra.apache.org/tools/csp.html

Please update the .htaccess file accordingly.

[sebbASF]

Please note that the policy says that any exceptions must have been approved, and a reference to the approval must be commented in the .htaccess file

[SkyeYoung]

@juzhiyuan @guoqqqi Could you please confirm the original requirements for these configurations? And help remove or adjust the content

[juzhiyuan]

I don't have any idea what should I do ....

[sebbASF]

I've just done a GH search for www.google.com and app.netlify.com in this repo, and the only references were in the .htaccess file; it seems that particular override is not needed.

However, the current setting overrides the rest of the required CSP, so merely dropping the file would likely cause some pages to fail.

I suggest creating a preview website where changes can be tested. I hope to raise PRs for this later.

[sebbASF]

See PR #1969

Once this is in place, it should be possible to experiment with changes to the CSP as follows:

Create a copy of the asf-site branch with the name preview/csptest-staging. (There is no need to rebuild the site from source). Before publishing the preview branch, remove the .htaccess file from it. This will show which resources would be affected.

The website should appear as https://apisix-csptest.staged.apache.org/ a short while after publication.

Various pages can then be tested to see if they are affected.
There will probably need to be several iterations to determine which 3rd party resources can be allowed via exceptions to the policy, and which resources must be copied locally (e.g. fonts should be locally sourced).

[sebbASF]

It would also be possible to start from a copy of the source in a branch named preview/csptest.
This would require changes to the deploy.yaml file to build from preview/csptest and output to preview/csptest-staging.