Skip to content

chore(docs): tighten CSP and remove external widgets#36685

Open
rusackas wants to merge 5 commits into
masterfrom
chore/remove-unused-csp-domain
Open

chore(docs): tighten CSP and remove external widgets#36685
rusackas wants to merge 5 commits into
masterfrom
chore/remove-unused-csp-domain

Conversation

@rusackas

@rusackas rusackas commented Dec 16, 2025
edited
Loading

Copy link
Copy Markdown
Member

Summary

Tightens the Content-Security-Policy in .htaccess and removes unused external widgets to address ASF compliance concerns.

CSP Changes:

  • Remove unused *.run.app domain from default-src
  • Restrict frame-src * to frame-src 'self' calendar.google.com (only iframe is Google Calendar on community page)

README Changes:

  • Remove OSS Insight "Repo Activity" widget (external dependency on next.ossinsight.io)

Investigation findings for remaining CSP domains:

  • *.github.com - Needed for user-attachment images in docs:
    • docs/developer_portal/extensions/architecture.md (2 architecture diagrams)
    • docs/versioned_docs/version-6.0.0/intro.md (video)
  • *.googleapis.com, *.google.com, *.gstatic.com - Kept - Used by kapa.ai reCAPTCHA and Google Calendar embed

Fixes: #35845

Test Plan

  • Verify docs site loads correctly after deployment
  • Verify Google Calendar embed on community page still works
  • Verify kapa.ai widget still functions

🤖 Generated with Claude Code

@github-actions github-actions Bot added the doc Namespace | Anything related to documentation label Dec 16, 2025
@codeant-ai-for-open-source codeant-ai-for-open-source Bot added the size:XS This PR changes 0-9 lines, ignoring generated files label Dec 16, 2025
@codeant-ai-for-open-source

This comment was marked as outdated.

Sign in to view
bito-code-review[bot]
bito-code-review Bot reviewed Dec 16, 2025
View reviewed changes

@bito-code-review bito-code-review Bot left a comment
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review Agent Run #7062e4

Actionable Suggestions - 1
  • docs/static/.htaccess - 1
Review Details
  • Files reviewed - 1 · Commit Range: 5e7fe33..5e7fe33
    • docs/static/.htaccess
  • Files skipped - 0
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Default Agent You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

Comment thread docs/static/.htaccess Outdated
@rusackas rusackas force-pushed the chore/remove-unused-csp-domain branch from 5e7fe33 to f634952 Compare December 16, 2025 23:37
@rusackas rusackas changed the title chore(docs): remove unused *.run.app from CSP chore(docs): remove unused or unapproved CSP entries per ASF policies Dec 17, 2025
@rusackas rusackas marked this pull request as draft December 17, 2025 00:16
@rusackas rusackas force-pushed the chore/remove-unused-csp-domain branch from f634952 to d1eddc6 Compare December 17, 2025 00:22
@rusackas rusackas changed the title chore(docs): remove unused or unapproved CSP entries per ASF policies chore(docs): tighten CSP and remove external widgets Dec 17, 2025
@rusackas rusackas mentioned this pull request Dec 17, 2025
Open
@sebbASF

sebbASF commented Dec 17, 2025

Copy link
Copy Markdown

Sorry, but the correct way to override the CSP is to provide a list of hostnames using the a variable definition of the form.

SetEnv CSP_PROJECT_DOMAINS "host1 host2 host3"

as described here:

https://infra.apache.org/tools/csp.html

As mentioned previously [1], the CSP itself must not be replaced.

[1] #35845 (comment)

@apache apache deleted a comment from codeant-ai-for-open-source Bot Feb 6, 2026
@apache apache deleted a comment from codeant-ai-for-open-source Bot Feb 6, 2026
@rusackas rusackas force-pushed the chore/remove-unused-csp-domain branch from d1eddc6 to b21a0be Compare February 6, 2026 06:51
@rusackas

rusackas commented Feb 6, 2026

Copy link
Copy Markdown
Member Author

@sebbASF Thanks for the guidance! I've updated the .htaccess to use the correct SetEnv CSP_PROJECT_DOMAINS format as specified in https://infra.apache.org/tools/csp.html

The domains included are:

  • widget.kapa.ai - AI chatbot widget
  • https://*.googleapis.com/, https://*.google.com/, https://*.gstatic.com/ - Google Calendar embed, reCAPTCHA
  • https://*.github.com/, https://*.githubusercontent.com/ - GitHub user-attachment images in docs
  • https://*.algolia.net/, https://*.algolianet.com/ - Algolia DocSearch

Let me know if any of these need VP Data Privacy approval or if the format needs adjustment.

@netlify

netlify Bot commented Feb 6, 2026
edited
Loading

Copy link
Copy Markdown

Deploy Preview for superset-docs-preview ready!

Name Link
🔨 Latest commit 279b219
🔍 Latest deploy log https://app.netlify.com/projects/superset-docs-preview/deploys/6a2d7c860a3cf40008bb539e
😎 Deploy Preview https://deploy-preview-36685--superset-docs-preview.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@rusackas @claude
chore(docs): use SetEnv CSP_PROJECT_DOMAINS format for ASF compliance
4f9468e 
Updates .htaccess to use the ASF-required format for CSP overrides:
- Use SetEnv CSP_PROJECT_DOMAINS instead of Header set Content-Security-Policy
- Document each required domain with its purpose
- Reference ASF CSP documentation

Required domains:
- widget.kapa.ai: AI chatbot widget
- *.googleapis.com, *.google.com, *.gstatic.com: Google Calendar, reCAPTCHA
- *.github.com, *.githubusercontent.com: GitHub images in docs
- *.algolia.net, *.algolianet.com: Algolia DocSearch

Fixes: #35845

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@rusackas rusackas force-pushed the chore/remove-unused-csp-domain branch from b21a0be to 4f9468e Compare February 6, 2026 06:53
@sebbASF

sebbASF commented Feb 6, 2026

Copy link
Copy Markdown

All the CSP exclusions need to be supported by links to a document (webpage or email etc) that provides the permission.

For example, kapa.ai and algolia are documented here:

https://privacy.apache.org/faq/committers.html

Note that there are conditions on how some exceptions can be included.

Any other exceptions must have explicit permission from Privacy.
If in doubt, please ask permission.

rusackas
rusackas commented May 20, 2026
View reviewed changes
Comment thread docs/static/.htaccess
@rusackas rusackas marked this pull request as ready for review June 13, 2026 15:49
rusackas and others added 2 commits June 13, 2026 08:49
@rusackas
Merge branch 'master' into chore/remove-unused-csp-domain
ec8e4fd
@claude
chore(docs): strip trailing whitespace in .htaccess CSP comment
279b219 
Fixes the pre-commit trailing-whitespace failure.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@rusackas

rusackas commented Jun 13, 2026

Copy link
Copy Markdown
Member Author

@sebbASF Done - each domain in CSP_PROJECT_DOMAINS now has an inline comment citing its approval source (privacy.apache.org/faq/committers.html for kapa.ai/Google/Algolia, and INFRA-25701 for the GitHub user-attachment images). Let me know if any of those need a stronger reference.

@bito-code-review

bito-code-review Bot commented Jun 13, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Code Review Agent Run #03f562

Actionable Suggestions - 0
Additional Suggestions - 2
  • docs/static/.htaccess - 2
    • CWE-1088: Removed CSP Domain References · Line 25-32
      The original inline CSP header included `*.run.app` and `https://sidebar.bugherd.com` which are not present in the new `CSP_PROJECT_DOMAINS`. Verify these domains are no longer needed before merging.
    • CWE-1087: Inconsistent Domain Format · Line 32-32
      The `widget.kapa.ai` entry lacks the `https://` scheme prefix and trailing slash that all other domains in `CSP_PROJECT_DOMAINS` have. Per Apache Infrastructure's CSP format, entries should be consistent: `https://widget.kapa.ai/`
      Code suggestion 
      --- docs/static/.htaccess (line 32) ---
 32: -SetEnv CSP_PROJECT_DOMAINS "widget.kapa.ai https://*.googleapis.com/ https://*.google.com/ https://*.gstatic.com/ https://*.github.com/ https://*.githubusercontent.com/ https://*.algolia.net/ https://*.algolianet.com/"
 32: +SetEnv CSP_PROJECT_DOMAINS "https://widget.kapa.ai/ https://*.googleapis.com/ https://*.google.com/ https://*.gstatic.com/ https://*.github.com/ https://*.githubusercontent.com/ https://*.algolia.net/ https://*.algolianet.com/"
Review Details
  • Files reviewed - 1 · Commit Range: 4f9468e..279b219
    • docs/static/.htaccess
  • Files skipped - 1
    • README.md - Reason: Filter setting
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@bito-code-review bito-code-review[bot] bito-code-review[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

doc Namespace | Anything related to documentation preset-io review:draft size/S size:XS This PR changes 0-9 lines, ignoring generated files

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

The Content-Security-Policy header must not be overridden

4 participants

@rusackas @sebbASF @sadpandajoe @claude