The Content-Security-Policy header must not be overridden

[sebbASF]

Bug description

https://github.com/apache/superset-site/blob/663d02559ee97830125b4a2f5c8249557c6c4b68/.htaccess#L25

The Content-Security-Policy header must not be overridden.

There is now a standard way to add local exceptions to the CSP:

https://infra.apache.org/tools/csp.html

Please update the .htaccess file accordingly.

[AyushSinghal1794]

Hi, I’m working on this issue. The current CSP header on line 25 needs to be removed.
I was planning to add the following line instead:

SetEnv CSP_PROJECT_DOMAINS "*.apache.org widget.kapa.ai *.githubusercontent.com *.scarf.sh *.googleapis.com *.google.com *.run.app *.gstatic.com *.github.com *.algolia.net *.algolianet.com"

Are these domains already approved for use, or should I remove the header first and wait for approval before adding any domains?

[sebbASF]

You need to get approval before adding any domains. Also please document such approval in the .htaccess file.

The following are already included in the default:

https://www.apachecon.com/
https://www.communityovercode.org/
https://*.apache.org/
https://apache.org/
https://*.scarf.sh/

[rusackas]

@AyushSinghal1794 thanks for tackling. DM me on slack if you need help with the ASF part of the process.

[rusackas]

These are the ones that we have currently and were on the docket to be migrated:

https://widget.kapa.ai/
https://*.[githubusercontent.com/](http://githubusercontent.com/)
https://*.scarf.sh/
https://*.[googleapis.com/](http://googleapis.com/)
https://*.[google.com/](http://google.com/)
https://*.run.app/
https://*.[gstatic.com/](http://gstatic.com/)
https://*.[github.com/](http://github.com/)
https://*.[algolia.net/](http://algolia.net/)
https://*.[algolianet.com/](http://algolianet.com/)

However, I think all the google related ones are not OK and are no longer needed... we can remove those. That leaves us with the following items that are NOT on the above allowed-list:

widget.kapa.ai
githubusercontent.com
github.com
algolia.net
algolianet.com

I did find this page:
https://privacy.apache.org/policies/privacy-policy-public.html

• It lists Kapa.ai as OK to use as long as it's opt-in (which it is, on our site)
• Github is listed for source code, but I must assume that Github (and thus githubusercontent) are OK for serving static assets (code, images, etc) in general.
• Regarding Algolia, I don't see that on the ASF DPA page, but I did find this infra ticket: https://issues.apache.org/jira/browse/INFRA-27279

@sebbASF let me know if the above makes sense, and we can add those ones (removing all the google-related ones for good measure).

Thanks,

-e-

[sebbASF]

Regarding githubusercontent please see the privacy list email here [1] (requires login).
My reading of that email is that it is not allowed, but feel free to contact privacy@a.o to explain how you wish to use the domain and ask if the usage is permissible.

AFAICT, the website downloads a widget from kapa.ai before any consent has been given; that does not seem right.

Also the home page downloads an image from seeklogo.com.

Best to confirm other usages with privacy@a.o as well.

[1] https://lists.apache.org/thread/x3ypczw13m0q4s067r3tjqhlrb27rrvg

[sebbASF]

Note: it looks like there are other 3rd party resources that are being downloaded on some pages. For example, the https://superset.apache.org/docs/intro/ page downloads images from img.shields.io and badge.fury.io.

[rusackas]

@sebbASF I'll keep chipping away at this, thanks for the attention.

I just opened a PR to remove the seeklogo.com reference. That's definitely an "oops". Good catch on the shields.io/fury.io images as well. Those are the status badges. This isn't reflected in the CSP, but I'll find suitable (Github or custom) replacements for these in another PR:

The Kapa widget does load by default, but my understanding (and Kapa's) was that the DPA allows this. The site visitor has to opt in (via the modal) to interact with it or provide any input to the service.

I'll follow up with privacy@ with additional questions soon.

[sebbASF]

In case of interest:

Commons website used to link directly to shields.io, but now uses a script to convert the links into local references:

https://svn.apache.org/repos/asf/commons/cms-site/trunk/fixshields.py

It's run when the site is regenerated.

[rusackas]

I took out the badges for now, in this merged PR... I'll take your advice on re-adding/replacing those another way sooner or later. I'll keep chippin' at this until it's all sorted. :D

[sebbASF]

Note that badges are allowed on GitHub pages, because that is not an ASF host.
Only ASF sites need to abide by the ASF privacy policy. The CSP is intended to help enforce that.

So unless the README file is also deployed as part of the ASF website, it can link to badges.

However 3rd party items such as badges are not allowed on apache.org pages such as https://superset.apache.org/docs/6.0.0/intro unless they are hosted locally or we have a DPA with the provider(s). [Or the user has given explicit prior consent]

[rusackas]

OK.... badges are back on the readme (since that's OK), and the project/docs site (hosted by ASF) now scrapes THOSE into its own filesystem to host them locally. Should be all good on that front now.
#36495

[sebbASF]

The page https://superset.apache.org/docs/6.0.0/intro/ no longer downloads the badges from a 3rd party - great.

However, it references
https://next.ossinsight.io/widgets

The main page references
https://api.github.com/repos/apache/superset
I think that needs to be checked with Privacy.
As I understand it, not all references to GH are covered by the agreement.

[sebbASF]

Also, the htaccess file still overrides the default CSP:

superset/docs/static/.htaccess

Line 25 in 6b948ee

Header set Content-Security-Policy "default-src data: blob: 'self' *.apache.org widget.kapa.ai *.githubusercontent.com *.scarf.sh *.googleapis.com *.google.com *.run.app *.gstatic.com *.github.com *.algolia.net *.algolianet.com 'unsafe-inline' 'unsafe-eval'; frame-src *; frame-ancestors 'self' *.google.com https://sidebar.bugherd.com; form-action 'self'; worker-src blob:; img-src 'self' blob: data: https:; font-src 'self'; object-src 'none'"