Ouch. If we are not supposed to call external services, then I believe we can't solve on site search with Google. Well, I could send the form to google.com with site:freemarker.apache.org though... kind of lame. Note sure if there's a common solution for this at Apache.
Also there's a font we load from CDN apparently, and now that's also blocked. Had to check the licence to decide if we can store it locally (because then it has to be part of the source code too). On Mon, Mar 24, 2025 at 3:39 PM Simon Hartley <scrhart...@yahoo.co.uk.invalid> wrote: > This does not work for me: > https://freemarker.apache.org/docs/search-results.html?q=hello > I have tested in Chrome and FireFox. > When looking in the console, I can see CSP errors, even for > https://freemarker.apache.org/ > > I assume the search problem is due to this one (Google Programmable Search > Engine / Google Custom Search): > search-results.html?q=hello:52 Refused to load the script ' > https://cse.google.com/cse.js?cx=003127866208504630097:arjqbv_znfw' > because it violates the following Content Security Policy directive: > "script-src 'self' 'unsafe-inline' 'unsafe-eval' > https://analytics.apache.org/ https://www.apachecon.com/";. Note that > 'script-src-elem' was not explicitly set, so 'script-src' is used as a > fallback. > > Looking at the response headers I see: > Content-Security-Policy: > default-src 'self' data: blob: 'unsafe-inline' https://www.apachecon.com/ > https://www.communityovercode.org/ https://analytics.apache.org/; > script-src 'self' 'unsafe-inline' 'unsafe-eval' > https://analytics.apache.org/ https://www.apachecon.com/; style-src > 'self' 'unsafe-inline' data:; frame-ancestors 'self'; frame-src 'self' > data: blob:; img-src 'self' data: https://*.apache.org/ > https://www.apachecon.com/; worker-src 'self' data: blob:; > > I assume the following is related: https://infra.apache.org/csp.html > (effective March > 1, 2025) > Reading https://privacy.apache.org/policies/website-policy.html: > "Assets (JavaScript files or snippets, images, fonts, CSS, etc.) from > other domains cannot be loaded. All assets need to be hosted on ASF > servers." > > Regards, > Simon > -- Best regards, Daniel Dekany
