You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@superset.apache.org by ru...@apache.org on 2024/02/27 23:20:04 UTC

(superset) branch more-csp-madness created (now c98ca32021)

This is an automated email from the ASF dual-hosted git repository.

rusackas pushed a change to branch more-csp-madness
in repository https://gitbox.apache.org/repos/asf/superset.git


      at c98ca32021 fix(docs): more csp tweaks

This branch includes the following new commits:

     new c98ca32021 fix(docs): more csp tweaks

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

(superset) 01/01: fix(docs): more csp tweaks

Posted by ru...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

rusackas pushed a commit to branch more-csp-madness
in repository https://gitbox.apache.org/repos/asf/superset.git

commit c98ca320216dc0f24f6617ba57a571fe510e553a
Author: Evan Rusackas <ev...@rusackas.com>
AuthorDate: Tue Feb 27 16:19:55 2024 -0700

    fix(docs): more csp tweaks
---
 docs/static/.htaccess | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/docs/static/.htaccess b/docs/static/.htaccess
index 5453e5eb80..3e8582dee6 100644
--- a/docs/static/.htaccess
+++ b/docs/static/.htaccess
@@ -22,15 +22,10 @@ RewriteRule ^(.*)$ https://superset.apache.org/$1 [R,L]
 RewriteCond %{HTTP_HOST} ^superset.incubator.apache.org$ [NC]
 RewriteRule ^(.*)$ https://superset.apache.org/$1 [R=301,L]
 
-# Header set Content-Security-Policy "default-src 'self'; img-src *;"
-
-Header set Content-Security-Policy "default-src 'self'; \
-script-src 'self'; \
-img-src 'self' https://static.scarf.sh *; \
-style-src 'self' https://fonts.googleapis.com; \
-script-src-elem 'self' 'unsafe-inline' https://www.googletagmanager.com https://www.google-analytics.com; \
-style-src-elem 'self' 'unsafe-inline' https://fonts.googleapis.com https://analytics.apache.org https://www.bugherd.com; \
-frame-ancestors 'self' https://preset.io; \
+Header set Content-Security-Policy "default-src data: blob: 'self' *.apache.org *.bugherd.com *.scarf.sh *.googleapis.com *.googletagmanager.com *.google-analytics.com 'unsafe-inline' 'unsafe-eval'; \
+frame-src *; \
+frame-ancestors 'self' *.preset.io *.google.com https://sidebar.bugherd.com https://unpkg.com; \
+form-action 'self'; \
+worker-src blob:; img-src 'self' blob: data: https:; \
 font-src 'self' https://fonts.gstatic.com; \
-frame-src 'self' https://calendar.google.com https://preset.io https://sidebar.bugherd.com https://unpkg.com; \
-"
+object-src 'none'