There are numerous broken resources on our websites due to the
Content-Security-Policy HTTP header deployed by the ASF [1].
The CSP is quite restrictive: default-src 'self' data: blob:
'unsafe-inline' https://www.apachecon.com/
https://www.communityovercode.org/ https://analytics.apache.org/;
script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://analytics.apache.org/; style-src 'self' 'unsafe-inline' data:;
frame-ancestors 'self'; frame-src 'self' data: blob:; img-src 'self'
data: https://*.apache.org/; worker-src 'self' data: blob:;
I was able to fix the Lato font not loading on the Calcite and Avatica
sites by self-hosting it in CALCITE-6843 [2].
There are still quite a few resources broken on both the Calcite and
Avatica sites, mostly images. For most images, we can easily self-host
our own copy. However, we use GitHub avatars for the Community and News
pages on both sites. We can either self-host all the avatars (but they
won't be updated if the user changes them on GitHub) or we can get rid
of them.
What do you guys think?
Francis
[1] https://infra.apache.org/csp.html
[2] https://issues.apache.org/jira/browse/CALCITE-6843
