The Content-Security-Policy header must not be overridden

[sebbASF]

https://github.com/apache/camel-website-pub/blob/d3787ed85ad2c188955b8e0c887ef40923c5608e/.htaccess#L1909

The Content-Security-Policy header must not be overridden.

There is now a standard way to add local exceptions to the CSP:

https://infra.apache.org/tools/csp.html

Please update the .htaccess file accordingly.

[zregvart]

I think the policy we have in place is stricter than the ASF default one. Have a look at the current infra setting

I think we might not need form-action 'self', can tolerate changing frame-ancestors 'none' to frame-ancestors 'self', removing upgrade-insecure-requests, and I think the connect-src, img-src and child-src that we have set very strictly, can be replaced with script-src, style-src and frame-src set broadly to CSP_PROJECT_DOMAINS with some caveats: We should note that this would allow algolianet.com, algolianet.net or githubusercontent.com to inject a frame, which we do not allow under the current CSP.

[sebbASF]

That is something to take up with Infra, as they set the Policy

[sebbASF]

Also the policy requires approval before overrides can be added, and such approval must be documented in the .htaccess file

[zregvart]

The Content-Security-Policy headers we have predate any ASF policy change, by five years. But thanks for informing us, we will deal with this when we find the time. You can also help us if you'd be so inclined to do. We have written instructions on how to contribute to Camel, and the website's readme should be help you get started. In particular you might find the instructions on running Apache HTTPD locally to test changes to .htaccess useful.

[GaneshPatil7517]

hey @davsclaus assign me ill work on this.....