From 4f9468e95ae0d38d967f2a243c9e077d87811e27 Mon Sep 17 00:00:00 2001
From: Evan Rusackas <evan@rusackas.com>
Date: Tue, 16 Dec 2025 15:16:59 -0800
Subject: [PATCH 1/3] chore(docs): use SetEnv CSP_PROJECT_DOMAINS format for
 ASF compliance

Updates .htaccess to use the ASF-required format for CSP overrides:
- Use SetEnv CSP_PROJECT_DOMAINS instead of Header set Content-Security-Policy
- Document each required domain with its purpose
- Reference ASF CSP documentation

Required domains:
- widget.kapa.ai: AI chatbot widget
- *.googleapis.com, *.google.com, *.gstatic.com: Google Calendar, reCAPTCHA
- *.github.com, *.githubusercontent.com: GitHub images in docs
- *.algolia.net, *.algolianet.com: Algolia DocSearch

Fixes: https://github.com/apache/superset/issues/35845

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 README.md             | 11 -----------
 docs/static/.htaccess |  9 ++++++++-
 2 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/README.md b/README.md
index e6dd708623d4..8760e6fc8a87 100644
--- a/README.md
+++ b/README.md
@@ -238,16 +238,5 @@ Understanding the Superset Points of View
 
 - [Superset API](https://superset.apache.org/docs/rest-api)
 
-## Repo Activity
-
-<a href="https://next.ossinsight.io/widgets/official/compose-last-28-days-stats?repo_id=39464018" target="_blank" align="center">
-  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://next.ossinsight.io/widgets/official/compose-last-28-days-stats/thumbnail.png?repo_id=39464018&image_size=auto&color_scheme=dark" width="655" height="auto" />
-    <img alt="Performance Stats of apache/superset - Last 28 days" src="https://next.ossinsight.io/widgets/official/compose-last-28-days-stats/thumbnail.png?repo_id=39464018&image_size=auto&color_scheme=light" width="655" height="auto" />
-  </picture>
-</a>
-
-<!-- Made with [OSS Insight](https://ossinsight.io/) -->
-
 <!-- telemetry/analytics pixel: -->
 <img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=bc1c90cd-bc04-4e11-8c7b-289fb2839492" />
diff --git a/docs/static/.htaccess b/docs/static/.htaccess
index f056e4423e54..05ec4742beac 100644
--- a/docs/static/.htaccess
+++ b/docs/static/.htaccess
@@ -22,7 +22,14 @@ RewriteRule ^(.*)$ https://superset.apache.org/$1 [R,L]
 RewriteCond %{HTTP_HOST} ^superset.incubator.apache.org$ [NC]
 RewriteRule ^(.*)$ https://superset.apache.org/$1 [R=301,L]
 
-Header set Content-Security-Policy "default-src data: blob: 'self' *.apache.org widget.kapa.ai *.githubusercontent.com *.scarf.sh *.googleapis.com *.google.com *.run.app *.gstatic.com *.github.com *.algolia.net *.algolianet.com 'unsafe-inline' 'unsafe-eval'; frame-src *; frame-ancestors 'self' *.google.com https://sidebar.bugherd.com; form-action 'self'; worker-src blob:; img-src 'self' blob: data: https:; font-src 'self'; object-src 'none'"
+# CSP permissions for superset.apache.org
+# Additional domains required for docs site functionality:
+# - widget.kapa.ai: AI chatbot widget (uses Google reCAPTCHA)
+# - *.googleapis.com, *.google.com, *.gstatic.com: Google Calendar embed, kapa.ai reCAPTCHA
+# - *.github.com, *.githubusercontent.com: GitHub user-attachment images in docs
+# - *.algolia.net, *.algolianet.com: Algolia DocSearch
+# See: https://infra.apache.org/tools/csp.html
+SetEnv CSP_PROJECT_DOMAINS "widget.kapa.ai https://*.googleapis.com/ https://*.google.com/ https://*.gstatic.com/ https://*.github.com/ https://*.githubusercontent.com/ https://*.algolia.net/ https://*.algolianet.com/"
 
 # REDIRECTS
 

From e6690e5721a4235860a8ad4f435dcc290efbb996 Mon Sep 17 00:00:00 2001
From: Evan Rusackas <evan@preset.io>
Date: Wed, 20 May 2026 14:07:21 -0700
Subject: [PATCH 2/3] Adding ASF references to allowed CSP modifications

---
 docs/static/.htaccess | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/static/.htaccess b/docs/static/.htaccess
index 05ec4742beac..c57a6df4ea2d 100644
--- a/docs/static/.htaccess
+++ b/docs/static/.htaccess
@@ -24,10 +24,10 @@ RewriteRule ^(.*)$ https://superset.apache.org/$1 [R=301,L]
 
 # CSP permissions for superset.apache.org
 # Additional domains required for docs site functionality:
-# - widget.kapa.ai: AI chatbot widget (uses Google reCAPTCHA)
-# - *.googleapis.com, *.google.com, *.gstatic.com: Google Calendar embed, kapa.ai reCAPTCHA
-# - *.github.com, *.githubusercontent.com: GitHub user-attachment images in docs
-# - *.algolia.net, *.algolianet.com: Algolia DocSearch
+# - widget.kapa.ai: AI chatbot widget (uses Google reCAPTCHA). Approval here: https://privacy.apache.org/faq/committers.html
+# - *.googleapis.com, *.google.com, *.gstatic.com: Google Calendar embed, kapa.ai reCAPTCHA - all of these loaded with user consent, following policy laid out in https://privacy.apache.org/faq/committers.html 
+# - *.github.com, *.githubusercontent.com: GitHub user-attachment images in docs. Discussed/resolved in this thread: https://issues.apache.org/jira/browse/INFRA-25701?filter=-2 (DPA in place with GitHub)
+# - *.algolia.net, *.algolianet.com: Algolia DocSearch. Approved here: https://privacy.apache.org/faq/committers.html
 # See: https://infra.apache.org/tools/csp.html
 SetEnv CSP_PROJECT_DOMAINS "widget.kapa.ai https://*.googleapis.com/ https://*.google.com/ https://*.gstatic.com/ https://*.github.com/ https://*.githubusercontent.com/ https://*.algolia.net/ https://*.algolianet.com/"
 

From 279b219233707d1e8e55273715d0f77b977d45bf Mon Sep 17 00:00:00 2001
From: Claude Code <noreply@anthropic.com>
Date: Sat, 13 Jun 2026 08:51:21 -0700
Subject: [PATCH 3/3] chore(docs): strip trailing whitespace in .htaccess CSP
 comment

Fixes the pre-commit trailing-whitespace failure.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 docs/static/.htaccess | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/static/.htaccess b/docs/static/.htaccess
index c57a6df4ea2d..c37e7fbcc974 100644
--- a/docs/static/.htaccess
+++ b/docs/static/.htaccess
@@ -25,7 +25,7 @@ RewriteRule ^(.*)$ https://superset.apache.org/$1 [R=301,L]
 # CSP permissions for superset.apache.org
 # Additional domains required for docs site functionality:
 # - widget.kapa.ai: AI chatbot widget (uses Google reCAPTCHA). Approval here: https://privacy.apache.org/faq/committers.html
-# - *.googleapis.com, *.google.com, *.gstatic.com: Google Calendar embed, kapa.ai reCAPTCHA - all of these loaded with user consent, following policy laid out in https://privacy.apache.org/faq/committers.html 
+# - *.googleapis.com, *.google.com, *.gstatic.com: Google Calendar embed, kapa.ai reCAPTCHA - all of these loaded with user consent, following policy laid out in https://privacy.apache.org/faq/committers.html
 # - *.github.com, *.githubusercontent.com: GitHub user-attachment images in docs. Discussed/resolved in this thread: https://issues.apache.org/jira/browse/INFRA-25701?filter=-2 (DPA in place with GitHub)
 # - *.algolia.net, *.algolianet.com: Algolia DocSearch. Approved here: https://privacy.apache.org/faq/committers.html
 # See: https://infra.apache.org/tools/csp.html