You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@superset.apache.org by ru...@apache.org on 2024/02/27 23:20:04 UTC
(superset) branch more-csp-madness created (now c98ca32021)
This is an automated email from the ASF dual-hosted git repository.
rusackas pushed a change to branch more-csp-madness
in repository https://gitbox.apache.org/repos/asf/superset.git
at c98ca32021 fix(docs): more csp tweaks
This branch includes the following new commits:
new c98ca32021 fix(docs): more csp tweaks
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
(superset) 01/01: fix(docs): more csp tweaks
Posted by ru...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rusackas pushed a commit to branch more-csp-madness
in repository https://gitbox.apache.org/repos/asf/superset.git
commit c98ca320216dc0f24f6617ba57a571fe510e553a
Author: Evan Rusackas <ev...@rusackas.com>
AuthorDate: Tue Feb 27 16:19:55 2024 -0700
fix(docs): more csp tweaks
---
docs/static/.htaccess | 17 ++++++-----------
1 file changed, 6 insertions(+), 11 deletions(-)
diff --git a/docs/static/.htaccess b/docs/static/.htaccess
index 5453e5eb80..3e8582dee6 100644
--- a/docs/static/.htaccess
+++ b/docs/static/.htaccess
@@ -22,15 +22,10 @@ RewriteRule ^(.*)$ https://superset.apache.org/$1 [R,L]
RewriteCond %{HTTP_HOST} ^superset.incubator.apache.org$ [NC]
RewriteRule ^(.*)$ https://superset.apache.org/$1 [R=301,L]
-# Header set Content-Security-Policy "default-src 'self'; img-src *;"
-
-Header set Content-Security-Policy "default-src 'self'; \
-script-src 'self'; \
-img-src 'self' https://static.scarf.sh *; \
-style-src 'self' https://fonts.googleapis.com; \
-script-src-elem 'self' 'unsafe-inline' https://www.googletagmanager.com https://www.google-analytics.com; \
-style-src-elem 'self' 'unsafe-inline' https://fonts.googleapis.com https://analytics.apache.org https://www.bugherd.com; \
-frame-ancestors 'self' https://preset.io; \
+Header set Content-Security-Policy "default-src data: blob: 'self' *.apache.org *.bugherd.com *.scarf.sh *.googleapis.com *.googletagmanager.com *.google-analytics.com 'unsafe-inline' 'unsafe-eval'; \
+frame-src *; \
+frame-ancestors 'self' *.preset.io *.google.com https://sidebar.bugherd.com https://unpkg.com; \
+form-action 'self'; \
+worker-src blob:; img-src 'self' blob: data: https:; \
font-src 'self' https://fonts.gstatic.com; \
-frame-src 'self' https://calendar.google.com https://preset.io https://sidebar.bugherd.com https://unpkg.com; \
-"
+object-src 'none'