[
https://issues.apache.org/jira/browse/SLING-12650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Munteanu reassigned SLING-12650:
---------------------------------------
Assignee: Robert Munteanu
> Newly applied ASF-wide CSP policies break the Sling website
> -----------------------------------------------------------
>
> Key: SLING-12650
> URL: https://issues.apache.org/jira/browse/SLING-12650
> Project: Sling
> Issue Type: Bug
> Components: Site
> Reporter: Radu Cotescu
> Assignee: Robert Munteanu
> Priority: Major
>
> The CSP added via https://github.com/apache/infrastructure-p6/pull/2025/files
> only allow resources served by the ASF servers to be loaded by the browser.
> This breaks the Sling website:
> {noformat}
> Refused to load the stylesheet
> 'https://cdnjs.cloudflare.com/ajax/libs/bulma/0.7.5/css/bulma.min.css'
> because it violates the following Content Security Policy directive:
> "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not
> explicitly set, so 'style-src' is used as a fallback.
> apache-sling-eventing-and-job-handling.html:1 Refused to load the script
> 'https://www.apachecon.com/event-images/snippet.js' because it violates the
> following Content Security Policy directive: "script-src 'self'
> 'unsafe-inline' 'unsafe-eval' https://analytics.apache.org/";. Note that
> 'script-src-elem' was not explicitly set, so 'script-src' is used as a
> fallback.
> apache-sling-eventing-and-job-handling.html:8 Refused to load the stylesheet
> 'https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/default.min.css'
> because it violates the following Content Security Policy directive:
> "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not
> explicitly set, so 'style-src' is used as a fallback.
> apache-sling-eventing-and-job-handling.html:1 Refused to load the script
> 'https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/highlight.min.js'
> because it violates the following Content Security Policy directive:
> "script-src 'self' 'unsafe-inline' 'unsafe-eval'
> https://analytics.apache.org/";. Note that 'script-src-elem' was not
> explicitly set, so 'script-src' is used as a fallback.
> apache-sling-eventing-and-job-handling.html:10 Uncaught ReferenceError: hljs
> is not defined
> at apache-sling-eventing-and-job-handling.html:10:13
> apache-sling-eventing-and-job-handling.html:26 Refused to load the script
> 'https://matomo.privacy.apache.org/matomo.js' because it violates the
> following Content Security Policy directive: "script-src 'self'
> 'unsafe-inline' 'unsafe-eval' https://analytics.apache.org/";. Note that
> 'script-src-elem' was not explicitly set, so 'script-src' is used as a
> fallback.
> (anonymous) @ apache-sling-eventing-and-job-handling.html:26
> apache-sling-eventing-and-job-handling.html:1 Refused to load the image
> 'data:image/svg+xml,%3Csvg width='18' height='18' viewBox='0 0 18 18'
> fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M12.7549
> 11.255H11.9649L11.6849 10.985C12.6649 9.845 13.2549 8.365 13.2549
> 6.755C13.2549 3.165 10.3449 0.255005 6.75488 0.255005C3.16488 0.255005
> 0.254883 3.165 0.254883 6.755C0.254883 10.345 3.16488 13.255 6.75488
> 13.255C8.36488 13.255 9.84488 12.665 10.9849 11.685L11.2549
> 11.965V12.755L16.2549 17.745L17.7449 16.255L12.7549 11.255ZM6.75488
> 11.255C4.26488 11.255 2.25488 9.245 2.25488 6.755C2.25488 4.26501 4.26488
> 2.255 6.75488 2.255C9.24488 2.255 11.2549 4.26501 11.2549 6.755C11.2549 9.245
> 9.24488 11.255 6.75488 11.255Z' fill='%23000000'/%3E%3C/svg%3E%0A' because it
> violates the following Content Security Policy directive: "img-src 'self'
> https://www.apache.org/";.
> apache-sling-eventing-and-job-handling.html:1 Refused to load the stylesheet
> 'https://cdnjs.cloudflare.com/ajax/libs/bulma/0.7.5/css/bulma.min.css'
> because it violates the following Content Security Policy directive:
> "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not
> explicitly set, so 'style-src' is used as a fallback.
> apache-sling-eventing-and-job-handling.html:1 Refused to load the stylesheet
> 'https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/default.min.css'
> because it violates the following Content Security Policy directive:
> "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not
> explicitly set, so 'style-src' is used as a fallback.
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
